Suspected Russian hackers used Microsoft vendors to breach customers
By Joseph Menn and Raphael Satter
WASHINGTON (Reuters) - The suspected Russian hackers behind the worst US cyberattack in years used reseller access to Microsoft Corp. services to penetrate targets where SolarWinds Corp's network software has not been compromised.
While updates to SolarWinds' Orion software have been the only known entry point so far, security firm CrowdStrike Holdings Inc announced that hackers on Thursday gained access to the vendor that sold the Office licenses and attempted to use it to access the emails from CrowdStrike. The hackers weren't specifically identified as those who compromised SolarWinds, but two people who were familiar with CrowdStrike's investigation said they did.
Scroll to continue with the content
Microsoft and Redis
Meet the fast and fully managed in-memory data store.
Don't miss the opportunity to hear the unique perspectives from Microsoft and partner specialists and learn more about Azure Cache for Redis.
CrowdStrike uses Office word processing programs, but not email. The failure, made months ago, was reported to CrowdStrike on December 15th by Microsoft.
CrowdStrike, not using SolarWinds, said it had not seen any impact from the intrusion attempt and declined to name the reseller.
"You came in via the reseller's access and tried to activate e-mail read permissions," one of the people familiar with the investigation told Reuters. "If Office 365 had been used for email, it would be game over."
Many Microsoft software licenses are sold through third parties, and those companies have almost constant access to customers' systems as customers add products or employees.
Microsoft said Thursday these customers need to be vigilant.
"Our investigation into the recent attacks has revealed incidents where credentials have been misused to gain access. These can take many forms," said Jeff Jones, Microsoft senior director. "We did not find any weaknesses or compromises in Microsoft products or cloud services."
Using a Microsoft reseller to try to break into a top digital defense company raises new questions about how many options are available to the hackers that US officials supposedly operate on behalf of the Russian government.
Known victims include CrowdStrike security competitor FireEye Inc and the U.S. Department of Defense, State, Commerce, Treasury and Homeland Security. Other large companies, including Microsoft and Cisco Systems Inc, said they found tainted SolarWinds software internally, but found no evidence that the hackers used it to gain wide reach on their networks.
So far, Texas-based SolarWinds has been the only publicly confirmed channel for the initial break-ins, though officials have been warning for days that the hackers had other options.
Reuters reported a week ago that Microsoft products were used in attacks. But federal officials said they didn't see it as the first vector, and the software giant said its systems weren't used in the campaign. (https://www.reuters.com/article/idUSKBN28R2ZJ)
Microsoft then suggested that its customers should still be careful. At the end of a long technical blog post on Tuesday, it was mentioned in one sentence that hackers can access Microsoft 365 Cloud "from trusted provider accounts where the attacker has compromised the provider environment".
Microsoft requires its vendors to access client systems in order to install products and allow new users. However, it is so difficult to find out which providers still have access rights at a certain point in time that CrowdStrike has developed and published an auditing tool for it.
After a number of other violations by cloud vendors, including a number of attacks caused by Chinese government-backed hackers known as CloudHopper, Microsoft this year imposed new controls on its resellers, including requirements for multi-factor Authentication.
The Cybersecurity and Infrastructure Security Agency and the National Security Agency had no immediate comment.
Also on Thursday, SolarWinds released an update to address vulnerabilities in its flagship network management software, Orion, after a second group of hackers was discovered targeting the company's products. It was followed by a separate Microsoft blog post on Friday which found that SolarWinds' software was targeted by a second and unrelated group of hackers in addition to Russia-related hackers.
The identity of the second group of hackers or the extent to which they successfully broken into somewhere remains unclear.
Russia has denied playing a role in the hacking.
(Reporting by Joseph Menn and Raphael Satter. Additional reporting by Munsif Vengattil; Editing by Chizu Nomiyama, Alistair Bell and Richard Chang)
You should check here to buy the best price guaranteed products.
Alexander Vindman, the White House staffer who sparked Trump's 1st impeachment, tells his story
No hard feelings: Jewett finishes with racer who tripped him
A Trump supporter was arrested after a church prayer group member sent texts to the FBI that showed him inside the Capitol Building on Jan. 6
U.S. Women's Soccer Goes Where It Hasn't Gone In 9 Years After Win Over Netherlands
The Best Beauty Instagrams of the Week: Sita Abellán, Zoë Kravitz, and More
The life lessons of "Three Little Engines"