December 18, 2020

Microsoft confirms it found “malicious” SolarWinds code on its systems

By Robert Scammell

Microsoft has confirmed that it detected “malicious” code on its systems stemming from the SolarWinds hack that has compromised multiple US government departments and up to 18,000 SolarWinds customers.

However, the tech giant said it found no evidence that hackers accessed production services or customer data. It added that has isolated and removed the “malicious SolarWinds binaries” and has no indication that its systems were used to attack others.

This is in direct opposition to a Reuters story on Thursday that said Microsoft’s own products were used to “further the attacks on others”.

The SolarWinds hack, which has been dubbed Sunburst, first came to light last week when US cybersecurity firm FireEye revealed it had been breached by a “highly sophisticated” attack launched by a nation state with “top-tier offensive capabilities”.

As early as March, suspected Russian nation-state hackers injected malicious code into updates for SolarWinds’ popular Orion software. Orion is used by organisations to monitor their computer networks for outages and problems.

Companies that installed the tainted Orion update unwittingly gave the hackers remote access to their networks, allowing them to steal information and possibly lay the groundwork for future attacks.

The number of victims of the supply chain attack has grown to include several US government departments, making it the biggest hack on the US government in years.

Among them are the Treasury and US Department of Commerce. The US energy department, which is responsible for managing the country’s nuclear weapons, is the latest arm of the government to confirm a breach. However, it said the security protecting its nuclear arsenal had not been compromised.

In a blog post, Microsoft President Brad Smith described the SolarWinds hack as “a moment of reckoning” and “effectively an attack on the United States and its government”.

Microsoft said that around 80% of its affected customers are located in the US. Victims have also been identified in Canada, Mexico, Belgium, Spain, the UK, Israel and the UAE.

“While the most recent attack appears to reflect a particular focus on the United States and many other democracies, it also provides a powerful reminder that people in virtually every country are at risk and need protection irrespective of the governments they live under,” Smith said.

Read more: US Treasury and Commerce departments hit by cyberattack