A former employee at Microsoft has lambasted the company for ignoring a crucial flaw which exposed countless organisations and US government to a major Russian-led hack.
Whistleblower Andrew Harris said he discovered the security issue following a separate breach at a major US tech company in 2016.
While investigating this incident, Harris reportedly uncovered a major flaw which could allow attackers to disguise themselves as legitimate employees while logging into cloud-based environments through a particular Microsoft application – risking highly sensitive data such as emails, intellectual property and even national security secrets across swathes of clients.
Harris, who was most concerned about a potential threat to federal government and national security, promptly raised the issue to his colleagues at Microsoft.
However, an investigation by publication ProPublica found the company not only dismissed his warnings, but left countless cloud services around the world vulnerable to attack – all-the-while assuring Harris it would “work on a long-term alternative”.
“Everyone violently agreed with me that this is a huge issue,” Harris told ProPublica.
“Everyone violently disagreed with me that we should move quickly to fix it.”
At the time, the US government was readying itself for significant investment in cloud computing, and according to Harris, a stonewalling product leader told him that acknowledging the security discovery could jeopardise Microsoft’s chances at landing the government’s business.
Harris further pointed out a lack of appropriate reporting avenues at Microsoft – which services over 95 per cent of Fortune 500 companies through cloud platform Microsoft Azure – telling ProPublica there is no appropriate “inspector general-type thing” within the tech giant’s ranks.
“If something egregious is happening, where the hell do you go? There’s no place to go,” said Harris.
Having nowhere else to turn, Harris reportedly took measures into his own hands and hurried to alert some of the company’s most sensitive customers directly.
Fed up after pleading with the company for “several years” and personally overseeing a crucial fix for the New York Police Department, Harris left the tech giant in August 2020 and moved to a senior director role at competing cyber security company CrowdStrike.
By December 2020, Harris and the rest of the world learned state-sponsored Russian hackers had carried out an attack on SolarWinds – an incident which is now known as one of the largest cyber attacks of all time.
Using the flaw Harris discovered, hackers collected sensitive data from the US’ National Nuclear Security Administration as well as COVID-19 research and vaccine distributor the National Institutes of Health, before further compromising the email accounts of high-ranking officials in the Treasury Department.
Setting the record straight
Russian hackers first gained access to Solarwinds systems in September 2019, and given the attack was not publicly discovered until December 2020, it is believed they may have managed to utilise the breach for more than 14 months.
Though Microsoft has long been suspected of having some blame in the historical attack, the tech giant has long denied responsibility, with company president Brad Smith assuring Congress in 2021 there was “no vulnerability in any Microsoft product or service” exploited in Solarwinds.
Now, Harris’ account tells a much different story.
Harris uncovered the neglected vulnerability in Active Directory Federation Services (AD FS), single sign-on (SSO) product which conveniently allows users to sign on a single time to access a multitude of apps, systems and devices.
The flaw, ProPublica reports, related to how AD FS used a computer language known as SAML, and effectively allowed hackers to gain near free rein if they cracked so much as a single access point – such as compromising a user account through phishing.
Once a hacker had a foothold in a target system, they could look for an AD FS instance, extract its private key, and forge “tokens” which allowed the user to disguise themselves as a high-privilege user.
In simple terms, by exploiting the flaw a hacker could quietly rummage through a target system by masquerading as a legitimate user – in many cases going unnoticed for months.
Today, the resulting Solarwinds attacks are known to have affected thousands of organisations, including Intel, Cisco, Deloitte and Microsoft itself.
Prioritising features over security
All-in-all, Harris recounts formally flagging the issue to a Microsoft product manager, director and security personnel at least six times – all the while venting about the issue to colleagues and personally assisting clients with his own short-term solution.
“I said, ‘Can you guys please listen to me,’” Harris recalled.
“‘This is probably the most important thing I’ve ever done in my career.’”
But Microsoft was seemingly more concerned with landing “one of the largest government computing contracts in US history”, as well as the risk of making threat actors aware of the flaw by publicly acknowledging its existence.
Furthermore, Harris’ ad-hoc fix – which Microsoft reportedly adopted three years after it was originally proposed – required customers to turn off Microsoft’s popular SSO feature.
At the time, Microsoft was in a heated competition with identity management company Okta, and addressing the fix could have hampered Microsoft’s biggest advantage given Okta required its user sign on twice instead of just once.
“The decisions are not based on what’s best for Microsoft’s customers but on what’s best for Microsoft,” Harris told ProPublica.
No denial
Instead of directly responding to ProPublica’s findings, the company issued a statement which says protecting customers its “highest priority”.
“Our security response team takes all security issues seriously and gives every case due diligence with a thorough manual assessment, as well as cross-confirming with engineering and security partners,” a spokesperson said.
“Our assessment of this issue received multiple reviews and was aligned with the industry consensus.”
Conversely, while speaking on a separate data breach from last year, Smith apologised to Congress on Thursday for Microsoft’s security failures, stating the company accepts responsibility “for the past and are applying what we’ve learned to help build a more secure future”.
Harris’ whistleblowing remarks come as the Pentagon is considering an expansion of its use of Microsoft software.
Tim Mackey, Principal Security Strategist at Synopsys Cyber security Research Centre, told Information Age the nature of this incident and its timeline “highlights the tension that often exists between technical teams and their business peers.”
“For a technical team, any weakness, particularly within code that is an area of expertise for that team, represents a priority to be addressed.
“If that weakness then becomes exploitable, then technical teams are even more eager to address the issue,” said Mackey.
“The problem is that new features and enhancement requests from top customers often have greater business value than bugs fixes – even if those bugs are security bugs.
“While we would all love to say that all software developers address security issues first, and then address new features, the reality is that [research and development] efforts are prioritised based on business impact.”