Microsoft says an investigation of its internal systems has found evidence of malicious SolarWinds software code, indicating that the tech giant was infiltrated in the stealthy cyberattacks roiling the U.S. government.
In a statement Thursday afternoon, Microsoft said there’s no evidence that hackers were able to use the digital beachhead to access its live online services or customer data, or to mount additional cyberattacks on others. However, the company acknowledged that the investigation is ongoing.
PREVIOUSLY: Microsoft unleashes ‘Death Star’ on SolarWinds hackers in extraordinary response to breach
The confirmation comes amid new revelations and warnings about the implications of the attacks, in which hackers were able to infiltrate business and government computer systems by illicitly inserting malware into software updates for a widely used IT infrastructure management product, the Solarwinds Orion Platform. SolarWinds, based in Austin, Texas, said about 18,000 customers may have installed the compromised software.
The sophisticated attacks are believed to be the work of the same Russian hacking group responsible for the 2016 attacks on the Democratic National Committee.
In an update Thursday, the U.S. Cybersecurity and Infrastructure Security Agency said the attacks pose “a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations.”
Reuters reported Thursday that Microsoft’s systems had been infiltrated, and said the company “also had its own products leveraged to further the attacks on others,” citing anonymous people familiar with the situation. But Microsoft’s statement, while confirming the presence of malicious code, said it had not found evidence that its products were then used in other attacks.
“Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious Solar Winds binaries in our environment, which we isolated and removed,” a company spokesperson said in a statement. “We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others.”
SolarWinds is a Microsoft Office 365 customer and said this week in a regulatory filing that it was “made aware of an attack vector that was used to compromise the Company’s emails and may have provided access to other data contained in the Company’s office productivity tools.” SolarWinds said it was working with Microsoft to investigate whether this attack was associated with the attack on its Orion software build system.
Microsoft has separately made a series of aggressive moves this week to stymie the attacks, taking steps to safeguard Windows from the hacks, while seizing control of a key domain used in the attacks. However, the attacks are believed to have been taking place surreptitiously since March. Security experts and government officials say the full scope of the impact isn’t yet clear.
In a post Thursday, Brad Smith, Microsoft’s president, described the attack as “ongoing.”
“As much as anything, this attack provides a moment of reckoning,” Smith wrote. “It requires that we look with clear eyes at the growing threats we face and commit to more effective and collaborative leadership by the government and the tech sector in the United States to spearhead a strong and coordinated global cybersecurity response.”
Smith said Microsoft has identified and notified more than 40 customers who were victims of targeted attacks by the hackers.
“Put simply, we need a more effective national and global strategy to protect against cyberattacks,” he wrote. “It will need multiple parts, but perhaps most important, it must start with the recognition that governments and the tech sector will need to act together.”