Microsoft has confirmed that they were hacked in the recent SolarWinds attacks but denied that their software was compromised in a supply-chain attack to infect customers.
This past weekend it was discovered that Russian state-sponsored hackers breached SolarWinds and used their auto-update mechanism to distribute a backdoor to clients.
This malicious software is a backdoor tracked as Solarigate (Microsoft) or Sunburst (FireEye) and reached the infrastructure of approximately 18,000 customers, including the U.S. Treasury, US NTIA, and the U.S. Department of Homeland Security.
Tonight, Reuters released a report stating that sources indicated that Microsoft was not only compromised in the SolarWinds supply–chain attack but also had their software modified to distribute malicious files to its clients.
In a statement to BleepingComputer, Microsoft confirmed that they detected malicious SolarWinds binaries in their environment but denies that their systems were used to compromise customers.
“Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious Solar Winds binaries in our environment, which we isolated and removed. We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others,” Microsoft told BleepingComputer.
The known list of organizations that were hit by the SolarWinds supply chain attack include:
- U.S. Department of the Treasury
- U.S. National Telecommunications and Information Administration (NTIA)
- U.S. Department of State
- The National Institutes of Health (NIH) (Part of the U.S. Department of Health)
- U.S. Cybersecurity and Infrastructure Security Agency (CISA)
- U.S. Department of Homeland Security (DHS)
- U.S. Department of Energy (DOE)
- U.S. National Nuclear Security Administration (NNSA)
- Three US states (Specific states are undisclosed)
As SolarWinds’ network management products are used by a wide range of organizations worldwide, we can expect to see further victims in the coming weeks.
It is reported that a Russian hacking group has allegedly attacked the City of Austin, but there is no indication that they are related to the SolarWinds breach.
12/17/20: Updated with statement from Microsoft and warnings to not disable Windows Update.