Editor's note: This story has been updated with the correct number of government agencies and private companies attacked.
In recent years, Microsoft has been in the forefront of the fight against governmental and foreign hacking, helping thwart countless attacks from Russian-linked attackers. It has publicly berated the US National Security Agency (NSA) for stockpiling software and hardware vulnerabilities so they can be exploited instead of working with companies to fix them. And it has called for an international agreement to ban cyberattacks modeled after the Geneva Convention, which bans many weapons.
But now Microsoft is being called to task by critics, including a prominent US Senator, for actions they say might have helped exacerbate the Russian-backed SolarWinds cyberattack against the US government and industry.
The question: Did Microsoft unintentionally abet the cyberstrike? To get at that answer, we need to first take a close look at the SolarWinds attack.
Inside SolarWinds
The hack is now widely recognized as the most sophisticated, successful and dangerous cyberattack yet on the federal government and industry. At least nine government agencies including the US Treasury, Commerce, State, Energy, and Homeland Security departments, and about 100 private companies including Intel, Nvidia, Cisco, Belkin, and VMWare were successfully hacked, although those numbers may rise as the investigation continues.
It’s still not clear precisely what information was stolen, or how it was used. It’s also not clear whether the attackers still have access to the federal agencies and private industry. And it’s unclear whether the attackers used their access to implant even more malware that can be used to launch future exploits.
We do, however, know how the Russian-based attack worked. It was launched by Russian hacking groups called APT29 or Cozy Bear, which are part of Russia’s intelligence service. They hacked into a company called SolarWinds, which developed and sells Orion, a popular network and applications monitoring platform. Using what’s called a supply chain attack, they inserted malicious code into an Orion update patch. Then when any company or agency updated its Orion software, they became infected.
More than 18,000 businesses and agencies installed the patch, allowing Russians access to vast amounts of highly sensitive and valuable data from the most important agencies in the US government and many of the largest companies in the world. Microsoft was among those breached, but the company claims it “found no evidence of access to production services or customer data. The investigation, which is ongoing, has also found no indications that our systems were used to attack others.”
Using SolarWinds, the Russians also hacked into the cybersecurity company FireEye, and stole FireEye penetration testing tools used to perform network reconnaissance and to break into networks.
What does all this have to do with Windows? Plenty, as there almost always is when large-scale cyberattacks are involved. SolarWinds’ Orion software runs on Windows Server.
The Russians targeted other Microsoft technologies, too. Once a business or agency downloaded the Orion update, the hackers were able to get into their network and generate security keys and certificates called SAML tokens. Once they generated the tokens, they had full access to Microsoft 365 and Azure, and to Microsoft’s Active Directory Federal Services.
This kind of attack is known as Golden SAML.
As Wired Magazine notes: “Once an attacker has the network privileges to manipulate this authentication scheme, they can generate legitimate tokens to access any of the organization's Microsoft 365 and Azure accounts, no passwords or multifactor authentication required. From there, the attackers can also create new accounts, and grant themselves the high privileges needed to roam freely without raising red flags.”
The Feds point the finger at Microsoft
Here’s where at least one member of Congress blames Microsoft. Sen. Ron Wyden (D-OR), a member of the Senate Intelligence Committee, points the finger directly at Microsoft for not warning customers about the Golden SAML security hole — and for not closing it earlier.
He said: “The federal government spends billions on Microsoft software. It should be cautious about spending any more before we find out why the company didn’t warn the government about the hacking technique that the Russians used, which Microsoft had known about since at least 2017.”
Wyden sent a series of questions to Microsoft before a hearing on the attack. Microsoft’s response claimed that Golden SAML “had never been used in an actual attack.” The company added that Golden SAML “was not prioritized by the intelligence community as a risk, nor was it flagged by civilian agencies.”
However, the NSA issued a cybersecurity advisory on Dec. 17 warning: “This SAML forgery technique has been known and used by cyber actors since at least 2017.”
The upshot
So should Microsoft be held responsible for SolarWinds and its aftermath? For the initial SolarWinds supply chain attack that gave the Russians access to federal agencies enterprise networks, neither Windows nor Microsoft were at fault. SolarWinds bears all the blame for lax security practices that allowed hackers to implant malware into Orion updates. Windows insecurities had nothing to do with the attack.
But for the follow-on Golden SAML hack, Microsoft bears some culpability. As the NSA says, the hack has been used since 2017. In that time, according to Wyden, Microsoft didn’t sound the alarm or fix the security hole.
So, as good as Microsoft has been in the last several years in publicizing and fighting cyberattacks, it bears some blame for this. In a world in which countries spend massive resources on cyberattacks and cyberespionage, the company needs to do more than it has.