Microsoft, SolarWinds in dispute over nation-state attacks
The latest investigation updates from SolarWinds and Microsoft offer differing views on how nation-state threat actors compromised SolarWinds' environment.
The investigations into the initial attack vector used in the SolarWinds supply chain hack have led to an apparent disagreement between SolarWinds and Microsoft.
In separate blog posts last week, the two companies provided updates on their ongoing investigations into how nation-state actors initially compromised SolarWinds' environment. That compromise led to nation-state threat actors accessing the development environment for SolarWinds' Orion IT management software; the hackers placed a backdoor within software updates for Orion platform, which were issued to thousands of SolarWinds customers last year.
In an announcement last Wednesday, SolarWinds CEO Sudhakar Ramakrishna said the threat actors behind the attack got into SolarWinds' Office 365 environment first before moving to the Orion development environment. He said the "most likely attack vectors came through a compromise of credentials and/or access through a third-party application via an at the time zero-day vulnerability."
Ramakrishna said the investigation "has not identified a specific vulnerability in Office 365" that the threat actors could have used to enter the environment, but he said the investigation is ongoing and could last several more months.
SearchSecurity contacted SolarWinds for additional comments on the possibility of a Microsoft vulnerability being exploited in the attack. The company declined.
The following day, Microsoft issued a statement of its own that appeared to push back on the notion that an Office 365 vulnerability was to blame for the SolarWinds breach. In a blog post from the Microsoft Security Team, the company said its investigation found no evidence it was attacked via the email software. Both blogs do convey that other initial attack vectors have been discovered apart from SolarWinds.
Included in Microsoft's blog post was a SolarWinds 8K filing from December. According to the blog, some have interpreted the wording in that filing to mean that they were aware of or were investigating an attack vector related to Microsoft Office 365. It's unclear why Microsoft revisited the dated file.
"SolarWinds uses Microsoft 365 for its email and office productivity tools. SolarWinds was made aware of an attack vector that was used to compromise the company's emails and may have provided access to other data contained in the company's office productivity tools," the filing said.
Microsoft said its investigation does not support those findings, and it pointed to Ramakrishna's statement from the previous day as confirmation.
"We have investigated thoroughly and have no evidence they were attacked via Office 365. The wording of the SolarWinds 8K filing was unfortunately ambiguous, leading to erroneous interpretation and speculation, which is not supported by the results of our investigation. SolarWinds has confirmed these findings in their blog on February 3, 2021," the blog post said.
SearchSecurity contacted Microsoft for further comment on the matter. A company spokesperson issued the following statement, reiterating Microsoft's earlier response.
"We have investigated thoroughly and have found no evidence they were attacked via our products or services. SolarWinds has confirmed these findings in their blog on February 3, 2021."
However, a source with knowledge of the investigation told SearchSecurity that SolarWinds is still looking into many potential ways that the attackers would have gotten in initially and one of those is Microsoft.
Microsoft's blog post addressed other reports regarding the SolarWinds attacks. In an alert Dec. 17, the Cybersecurity Infrastructure and Security Agency (CISA) said it had evidence that there were initial access vectors other than the SolarWinds Orion platform. The government agency said it "identified legitimate account abuse as one of those vectors." Microsoft addresses that alert in the blog, by answering one question: "Has Microsoft in any way been an initial entry point for the Solorigate actor?"
"No. In our investigations to date, data hosted in Microsoft services (including email) was sometimes a target in incidents, but the attacker had gained privileged credentials in some other way," the blog post said.
According to Ramakrishna's update, employee credentials were compromised, but he did not specify how they were accessed. He did, however, confirm that sophisticated actors were in the environment and conducted reconnaissance prior to the trial conducted on SolarWinds Orion software build in Oct. 2019, though the software vendor has not determined the exact date.
"We've confirmed that a SolarWinds email account was compromised and used to programmatically access accounts of targeted SolarWinds personnel in business and technical roles. By compromising credentials of SolarWinds employees, the threat actors were able to gain access to and exploit our Orion development environment," Ramakrishna wrote.
The email used was Office 365.
Microsoft was one of SolarWinds' many companies to be impacted by the supply chain attack. Microsoft notified SolarWinds on Dec. 13, 2020 about a compromise related to their Office 365 environment.