Microsoft may have unwittingly played a bigger role than initially thought in a massive hack that saw Russian state actors quietly breach and monitor IT systems of US government agencies and Fortune 500 companies.
The attack was revealed late last year to be primarily caused when hackers conducted a supply chain attack by implanting malware on network software from a company called SolarWinds.
By the time the attack was detected around 18,000 customers had installed the update leaving their systems wide open to the bad actors for months.
Now investigators untangling the thread of the massive breach have come to a startling conclusion reported the Wall Street Journal – nearly a third of organisations hit in the campaign weren’t using SolarWinds software.
So how did the Russian hackers get in?
Cybersecurity company Malware Bytes last month revealed itself as one of the organisations hit by this cyber campaign despite not being a SolarWinds customer.
Malware Bytes spotted “suspicious activity” on a third-party app in Office 365 which had all the hallmarks of the SolarWinds attackers.
Another cybersecurity company, Crowdstrike, was contacted by Microsoft last December after the tech giant noticed some other suspicious activity from a third-party app trying to make an API call to one of Crowdstrike’s Microsoft Azure tenants.
In its write-up of the incident, Crowdstrike was critical of the difficulty it had in managing and reviewing permissions in its Azure infrastructure, opting to develop and share its own Powershell tool to help other Azure Active Directory administrators review permissions.
SolarWinds told the Wall Street Journal it was investigating whether Microsoft cloud infrastructure was the first breach into its system.
As US President Joe Biden brings a team of cyber experts into his new administration, administrations and security officers are looking for ways to further mitigate against supply chain attacks like the one using SolarWinds.
Chief security officer at Crowdstrike, Shawn Henry, told Information Age it is exceedingly difficult to stop a breach that begins with code signed by trusted vendor.
“It's going into the grocery store and you find something that's completely shrink wrapped to protect against tampering,” he said.
“You might not know if it’s been tampered with prior to being wrapped, or if the shrink wrap was removed and then replaced.”
Henry worked in the US Federal Bureau of Investigations for 24 years.
He said the size and scope of the SolarWinds breach as it continues to unfold was going to be a wake-up call for cyber security teams around the world.
“It's not just a US issue,” Henry said “This is something that's been a risk for at least 15 years and now all of a sudden it’s happened again and people might not have been prepared.
“People don't necessarily prepare for something until it kind of hits them in the face.”
Given the amount of vendors that organisations work with these kinds of supply chain attacks can be near impossible to stop.
Instead Henry said the focus needs to be on mitigation strategies like the ‘zero trust’ approach to security.
“That means you're focused on things like multi factor authentication and micro segmentation,” he told Information Age.
“You need to be constantly evaluating what's happening in the environment to look for anomalous behavior and ensure that you are consistently vetting whoever's got access to that environment.
“A lot of organizations I know already have made some significant changes in the way they do business.
“It's something that we're going to have to be alert to indefinitely.”