Various organizations are grappling with the impact of a massive hacking campaign that compromised networks using SolarWinds’ Orion network management tools, and now Microsoft says it found “malicious binaries” on its systems. As Reuters reports, the NSA sent out a cybersecurity advisory on Thursday that specifically referenced Microsoft products like Azure and Active Directory as tools the attackers targeted to gain access to other resources.
In a statement, Microsoft confirmed it had found “malicious binaries” on its systems from the attacks, but found no access that anyone had accessed production services or customer data. Reuters also reported a source saying Microsoft cloud offerings were used by hackers in the attacks, but Microsoft claimed it has not found any evidence of that. ZDNet points out that an alert from US Cybersecurity and Infrastructure Agency (CISA) said the agency had evidence of “additional access vectors” beyond the Orion platform and the backdoor it contained, dubbed Sunburst or Solarigate. CISA said it’s continuing to investifate.
“Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries in our environment, which we isolated and removed. We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others.”
Prior to issuing the statement Microsoft president Brad Smith wrote a long post about “the need for a strong and global cybersecurity response,” and said his company is working with more than 40 customers “that the attackers targeted more precisely and compromised through additional and sophisticated measures.” His focus appears to be on the incoming presidential administration, and what he considers necessary to deal with the threat of nation-state attacks on computer systems.