Microsoft has confirmed that the recent nation-state attack, which involved hackers weaponised updates of the SolarWinds Orion platform to target organisations worldwide, impacted its servers and at least 40 customer organisations.
In a strongly-worded blog post published Thursday, Brad Smith, the president of Microsoft, said this particular cyber attack was "a broad and successful espionage-based assault on both the confidential information of the U.S. Government and the tech tools used by firms to protect them" and it will require a strong and coordinated global cybersecurity response to counter such an attack.
Smith's statement arrived after Microsoft admitted in a brief statement that it was itself not immune to the cyber attack. However, there is no evidence that hackers behind the attack accessed the company's production systems or customer data.
“Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries in our environment, which we isolated and removed.
“We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others,” the company said.
Agreeing with FireEye CEO Kevin Mandia that the cyber attack was carried out by a nation with top-tier offensive capabilities, Smith said the attack created a supply chain vulnerability of nearly global importance, reaching many major national capitals outside Russia.
The use of a malware to trojanise software updates of the SolarWinds Orion platform was just an initial vector for hackers to gain access to enterprise IT systems. The fact that the Orion software is used by government agencies, enterprises, and critical infrastructure companies worldwide, totalling over 33,000 customers, enabled the attackers to target thousands of organisations through this exploit.
However, the attackers did not carry out second-stage attacks targeting all organisations that downloaded the trojanised software updates. Instead, they decided to pick and choose from among victim organisations the ones they wanted to further attack in a narrower and more focused fashion. Microsoft said at least 40 of its customers were targeted more precisely and compromised through additional and sophisticated measures.
While it is being reported that the attackers specifically targeted government agencies such as the Pentagon, the State department, the Department of Homeland Security, the U.S. Treasury and the U.S. Commerce Department, an analysis by Microsoft reveals that 44% of the targeted organisations were in the IT sector, 18& were think-tanks or NGOs, 18% were government agencies, and 9% were government contractors.
"It’s critical that we step back and assess the significance of these attacks in their full context. This is not “espionage as usual,” even in the digital age. Instead, it represents an act of recklessness that created a serious technological vulnerability for the United States and the world," said Smith in his blog post.
"In effect, this is not just an attack on specific targets, but on the trust and reliability of the world’s critical infrastructure in order to advance one nation’s intelligence agency. While the most recent attack appears to reflect a particular focus on the United States and many other democracies, it also provides a powerful reminder that people in virtually every country are at risk and need protection irrespective of the governments they live under."
Smith added that defending against such sophisticated supply-chain atacks will require a unique level of collaboration between the public and private sectors as well as between all democratic governments that are regularly targeted by authoritarian countries with powerful cyber tools.
"Put simply, we need a more effective national and global strategy to protect against cyberattacks. It will need multiple parts, but perhaps most important, it must start with the recognition that governments and the tech sector will need to act together.
"In a world where authoritarian countries are launching cyberattacks against the world’s democracies, it is more important than ever for democratic governments to work together – sharing information and best practices, and coordinating not just on cybersecurity protection but on defensive measures and responses.
"Today’s technology infrastructure, from data centers to fiberoptic cables, is most often owned and operated by private companies. These represent not only much of the infrastructure that needs to be secured but the surface area where new cyberattacks typically are first spotted. For this reason, effective cyber-defense requires not just a coalition of the world’s democracies, but a coalition with leading tech companies," he said.