Microsoft said its systems were exposed to the malware used in the Russia-linked hack that targeted U.S. states and government agencies, adding that investigations so far show the malicious software wasn’t used to attack others and didn’t impact customer data or outward-facing systems.
The company is a customer of SolarWinds, whose software the hackers are believed to have used to gain access to networks by installing malicious code. Microsoft found code related to that cyber-attack “in our environment, which we isolated and removed,” spokesman Frank Shaw said in a statement posted to his Twitter account. “We have not found evidence of access to production services or customer data.”
So far, Microsoft has found “a few instances” of the SolarWinds malware in its computers, but no signs of further encroachment, Microsoft President and Chief Legal Officer Brad Smith said Friday in a Bloomberg Television interview. “We are still investigating, to be clear, but we found no indications the attackers were able to go from that point to create vulnerabilities in our products or services,” he said.
Reuters reported Thursday that Microsoft was hacked and that its systems were used to attack other entities, citing people familiar with the matter.
Any successful cyber-attack on Microsoft, the world’s largest software maker and the second-biggest cloud-infrastructure provider, could damage its standing as a trusted provider of cloud software and security services. The software giant’s involvement emerged as the wider repercussions of the far-reaching hack became more clear. SolarWinds’ customers include government agencies and Fortune 500 companies, according to the company and cybersecurity experts. The departments of Homeland Security, Treasury, Commerce and State were breached, according to a person familiar with the matter. The U.S. nuclear weapons agency and at least three states were also hacked.
Separately, Microsoft said Thursday in a blog post about the broader cyber-attack that it identified and has been working this week to notify more than 40 customers that the hackers targeted more precisely and compromised through additional and sophisticated measures. Those 40 include institutions in eight countries, Smith said in the interview Friday. Amid its investigation of its own networks, Microsoft also had 500 employees helping customers monitor and cope with the attack.
All told, probably several dozen to several hundred companies and organizations will be found to have been hacked, Smith said.
“It’s alarming because it is so sophisticated, its reach is so broad and it’s reckless — it put at risk the technology supply chain for the global economy,” he said.
Redmond, Washington-based Microsoft has become a significant vendor of cloud and security software and services, including to large government agencies, making its reputation for network protection critical to sales. The U.S. Defense Department has awarded Microsoft a $10 billion cloud-computing contract, which is currently being contested in court by rival bidder Amazon.com Inc.
In an advisory Thursday that signaled the widening alarm over the the recent breach, the U.S. Cybersecurity and Infrastructure Security Agency said the hackers posed a “grave risk” to federal, state and local governments, as well as critical infrastructure and the private sector. The agency said the attackers demonstrated “sophistication and complex tradecraft.”
In a filing with the U.S. Securities and Exchange Commission on Monday, SolarWinds said it believed its monitoring products could have been used to compromise the servers of as many as 18,000 of its customers.
(Updates to add Microsoft president’s comments on the attacks starting in third paragraph.)
For more articles like this, please visit us at bloomberg.com
©2020 Bloomberg L.P.