Suspected hackers used Microsoft vendors to breach customers
The suspected Russian hackers behind the worst U. S. cyber attack in years leveraged reseller access to Microsoft services to penetrate targets that had no compromised network software from SolarWinds, investigators said.
While updates to SolarWinds’ Orion software was previously the only known point of entry, security company CrowdStrike Holdings Inc said Thursday hackers had won access to the vendor that sold it Office licenses and used that to try to read CrowdStrike’s email. It did not specifically identify the hackers as being the ones that compromised SolarWinds, but two people familiar with CrowdStrike’s investigation said they were.
CrowdStrike uses Office programs for word processing but not email. The failed attempt, made months ago, was pointed out to Crowd
Strike by Microsoft on Dec. 15.
CrowdStrike, which does not use SolarWinds, said it had found no impact from the intrusion attempt and declined to name the reseller.
“They got in through the reseller’s access and tried to enable mail ‘read’ privileges,” one of the people familiar with the investigation told Reuters. “If it had been using Office 365 for email, it would have been game over.”
Many Microsoft software licenses are sold through third parties, and those companies can have near- constant access to clients’ systems as the customers add products or employees.
Microsoft said Thursday that those customers need to be vigilant.
“Our investigation of recent attacks has found incidents involving abuse of credentials to gain access, which can come in several forms,” said Microsoft senior Director Jeff Jones. “We have not identified any vulnerabilities or compromise of Microsoft product or cloud services.”
The use of a Microsoft reseller to try to break into a top digital defense company raises new questions about how many avenues the hackers, whom U.S. officials have alleged are operating on behalf of the Russian government, have at their disposal.
The known victims so far include CrowdStrike security rival FireEye Inc and the U.S. Departments of Defense, State, Commerce, Treasury, and Homeland Security. Other big companies, including Microsoft and Cisco Systems Inc, said they found tainted SolarWinds software internally but had not found signs that the hackers used it to range widely on their networks.
Until now, Texas-based SolarWinds was the only publicly confirmed channel for the initial break-ins, although officials have been warning for days that the hackers had other ways in.