A massive state-backed supply-chain attack involving malicious SolarWinds Orion updates also targeted Microsoft, adding a second reported private-sector victim. According to Reuters, which first broke the news of Microsoft's compromise, the hackers may have leveraged the company’s Microsoft Azure cloud services to target other victims.
Microsoft has confirmed in a statement that it found SolarWinds malware in its systems, however, it denied the allegations that the threat actor used its production systems to stage attacks on its customers.
“Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries in our environment, which we isolated and removed. We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others,” Microsoft said.
The recent SolarWinds security breach is thought to have affected multiple US government entities and private firms, including the US Treasury Department, the US Department of Commerce's National Telecommunications and Information Administration (NTIA), the Department of Health's National Institutes of Health (NIH), the Cybersecurity and Infrastructure Agency (CISA), the Department of Homeland Security (DHS), the US Department of State, and the security vendor FireEye.
In a blog post Microsoft president Brad Smith said that the company has identified and has been working to notify more than 40 customers that the attackers targeted more precisely and compromised through additional and sophisticated measures.
“While roughly 80% of these customers are located in the United States, this work so far has also identified victims in seven additional countries. This includes Canada and Mexico in North America; Belgium, Spain and the United Kingdom in Europe; and Israel and the UAE in the Middle East. It’s certain that the number and location of victims will keep growing,” Smith said.
In a new security alert released Thursday the Cybersecurity and Infrastructure Security Agency (CISA) said it has evidence suggesting that the attackers could have breached federal networks via other means, not just through the SolarWinds Orion software suite. However, the agency said that these additional initial access vectors are still being investigated and CISA will release updates as soon as the new information will become available.