The list of targets in the massive SolarWinds hack now includes Microsoft. Expect more vendors to join the dubious registry.

Microsoft issued the following statement:

“Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries in our environment, which we isolated and removed. We have not found evidence of access to production services or customer data.”

The attackers didn’t use Microsoft’s systems to attack others, it said.

FireEye, which has investigated numerous high-profile data breaches, also fell victim to the SolarWinds hack.

The hackers inserted malicious code into SolarWinds‘ Orion software updates sent to nearly 18,000 customers. It existed in updates released between March and June of this year.

This led to security breaches at numerous U.S. government agencies. Those include the Treasury Department, the National Telecommunications and Information Administration (NTIA) and the Department of Homeland Security (DHS). The attacker also breached SolarWinds’ corporate clients.

The Cozy Bear hacking group, which U.S. authorities suggest gets backing from Russian state intelligence, likely performed the SolarWinds hack.

Moment of Reckoning

Brad Smith is Microsoft’s president. He said the attack “illuminates the ways the cybersecurity landscape continues to evolve and becomes even more dangerous.”

Microsoft’s Brad Smith

“As much as anything, this attack provides a moment of reckoning,” he said. “It requires that we look with clear eyes at the growing threats we face, and commit to more effective and collaborative leadership by the government and the tech sector in the United States to spearhead a strong and coordinated global cybersecurity response.”

The U.S. Department of Energy is the latest agency confirming it has been breached. However, it hasn’t impacted the department’s national security functions. That includes the National Nuclear Security Administration (NNSA).

The agency took immediate action to mitigate the risk, said Saylyn Hynes, agency spokesperson. All vulnerable software was disconnected from the DOE network.

Kaspersky Findings

On Friday, Kaspersky released its findings on the Sunburst backdoor, the malware planted in SolarWinds Orion.

Costin Raiu is head of Kaspersky’s global research and analysis team.

Kaspersky’s Costin Raiu

“In this case, it would appear the main goal was espionage,” he said. “The attackers showed a deep understanding and knowledge of Office 365, Azure, Exchange, Powershell — and leveraged it in many creative ways to constantly monitor and extract emails from their true victims’ systems.”

One of the things that sets this attack apart is the peculiar victim profiling and validation scheme, Raiu said. The attackers flagged only a handful of the 18,000 Orion IT customers as interesting.

“Finding which of the 18,000 networks were further exploited, receiving more malware, installing persistence mechanisms and exfiltrating data is likely going to cast some light into the attacker’s motives and priorities,” he said.

High-Value Targets

High-value targets include a government organization and a telecommunications company in the United States, according to Kaspersky. It didn’t disclose the identities of the organizations. Furthermore, it notified the two organizations, offering its support to discover further malicious activities, if needed.

“For those that use Orion IT, we recommend scanning your system with an updated security suite capable of detecting the compromised packages from SolarWinds,” Raiu said. “Check your network traffic for all the publicly known indicators of compromise (IOCs).”

Kaspersky has spent the past few days checking its own telemetry for signs of this attack, writing …

… additional detections and making sure its users are protected, he said.

“At the moment, we identified approximately 100 customers who downloaded the trojanized package containing the Sunburst backdoor,” Raui said. “Further investigation is ongoing, and we will continue to update with our findings.”

More Vendors Likely Breached

Scott Crawford is information security research head at 451 Research, part of S&P Global Market Intelligence. He said it’s possible that more vendors have been affected by the SolarWinds hack.

451 Research’s Scott Crawford

“We’re talking about vendors who have a pretty wide penetration of their products in a number of other organizations,” he said.

The implication with this class of attack is the potential for widespread visibility and possibly control of any organization using IT management technology, Crawford said.

The attackers “took a risk” and “blew their cover” by targeting FireEye, he said. That doesn’t mean this is the only operation the group has in the field.

“The potential for this sort of thing has been in the back of mind of many cybersecurity professionals for some time,” Crawford said. “IT management systems are what run IT for a lot of organizations. So it would be a high-value target for a number of reasons.”

Organizations may need to review and adjust a lot of accepted and approved cybersecurity practices, he said. The question is what level of analysis is feasible for organizations. They may have hundreds if not thousands of suppliers, “so the scale of this becomes pretty daunting.”

Organizations need to “think like the adversary,” Crawford said.

Andrew Barratt is managing principal of Coalfire. He said if the SolarWinds element of this breach is just the tip of the iceberg, many more business are at risk from this. Criminal groups may seek to monetize these entry points with ransomware, sensitive data theft or other denial of service attacks that result in extortion.