SolarWinds Hack Compromised 40-plus Microsoft Customers

A decisive plurality – 44 percent – of the Microsoft customers compromised through SolarWinds are actually in the IT sector, and include software and security firms as well as IT services and equipment providers.


More than 40 Microsoft customers were precisely targeted and compromised through trojanized updates to SolarWinds’ Orion network monitoring platform, according to President Brad Smith.

The Redmond, Wash.-based software giant said that roughly 80 percent of its compromised customers are located in the United States, with the remainder based out of Canada, Mexico, Belgium, Spain, the United Kingdom, Israel and the United Arab Emirates, Smith wrote in a blog late Thursday. The malicious Orion updates reached organizations in many major national capitals outside Russia, according to Smith.

“The latest cyber-assault is effectively an attack on the United States and its government and other critical institutions, including security firms,” Smith wrote in the blog post. “It illuminates the ways the cybersecurity landscape continues to evolve and become even more dangerous.”

Sponsored post

[Related: Microsoft Breached Via SolarWinds As Scope Of Destruction Widens: Report]

Contrary to public perception, Smith said a decisive plurality – 44 percent – of the Microsoft customers compromised through SolarWinds are actually in the IT sector, and include software and security firms as well as IT services and equipment providers. The telemetry comes from Microsoft’s Defender Anti-Virus software, which spots Defender clients who also installed versions of Orion containing malware.

Some 18 percent of the compromised Microsoft customers are government agencies, another 18 percent are think tanks or non-governmental organizations (NGOs), and 9 percent are government contractors, according to Smith. Volexity reported Monday that an intrusion into a think tank occurred when a Duo multi-factor authentication bypass in Outlook Web App was used as the initial attack vector. Duo said the attack described by Volexity wasn’t due to a vulnerability in the company’s own products.

“The attack unfortunately represents a broad and successful espionage-based assault on both the confidential information of the U.S. Government and the tech tools used by firms to protect them,” Smith wrote in the blog post.

Most of the publicly identified victims of the SolarWinds hack to date have been federal agencies, including the U.S. Departments of Defense, State, Treasury, Homeland Security and Commerce, according to reports from Reuters and others. The only private-sector organizations flagged as having been compromised via SolarWinds are FireEye and Microsoft, with Reuters reporting the latter Thursday.

Reuters also alleged that Microsoft’s own products were then used by Russian government hackers to further the attacks on other victims. Microsoft told CRN Thursday that the sources for the Reuters report are “misinformed or misinterpreting their information,“ but acknowledged the software giant had ”detected malicious SolarWinds binaries” in its environment.

Smith characterized the SolarWinds hack as not only an attack on specific targets, but also an attack on the trust and reliability of the world’s critical infrastructure. The global campaign is aimed at advancing the interests of one nation’s intelligence agency, according to Smith.

“This is not just ‘espionage as usual,’ even in the digital age,” Smith said. “Instead, it represents an act of recklessness that created a serious technological vulnerability for the United States and the world.”

The Washington Post reported that hackers with the Russian intelligence service—known as APT29— are the ones behind this global espionage campaign. The breaches have been taking place for months and may amount to an operation as significant as the State Department and White House hacks during the Obama years, which were also reportedly carried out by APT29.

The hackers seem to be focused on collecting information from victim environments, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA). CISA said it’s observed in its incident response work adversaries targeting email accounts belonging to key personnel, including IT and incident response personnel.