Microsoft Reseller Compromised In Newly Revealed Attempted Intrusion Blamed On Russian Hackers

December 28, 2020

Suspected Russian hackers have compromised a customer of software giant Microsoft through a reseller of Microsoft products, according to news reports on December 24, raising more questions about a massive cyberattack on U.S. government computer networks that came to light earlier this month.

The Microsoft customer is security company CrowdStrike Holdings, which said the hackers had gained access to the reseller that sold it licenses to Microsoft Office software.

CrowdStrike did not identify the hackers as the same ones that compromised SolarWinds, the company whose software was previously the only known point of entry for the suspected Russian hackers believed to be behind the intrusion that had been reported earlier.

But two people familiar with CrowdStrike's investigation told Reuters that the same hackers were to blame.

Russia denied any responsibility for the hack into the SolarWinds network management software that was used to allegedly gain access to multiple U.S. government agencies.

The U.S. government's top cybersecurity agency last week issued an urgent warning about the cyberattack, saying it posed a "grave risk" to computer networks maintained by governments, utilities, and the private sector and was ongoing and could be difficult to purge.

Until now, SolarWinds was the only publicly confirmed channel involved in the cyberattack, but officials had warned that they believed hackers had other ways in.

CrowdStrike said it had found no impact from the intrusion attempt and declined to name the reseller. CrowdStrike uses Office programs for word processing but not e-mail.

The hackers “got in through the reseller's access and tried to enable mail 'read' privileges," an unidentified person familiar with the investigation told Reuters. The intrusion would have been more serious if CrowdStrike had been using Office for e-mail, the person said.

Many Microsoft software licenses are sold through third parties, and the company has said those customers need to be vigilant.

"Our investigation of recent attacks has found incidents involving abuse of credentials to gain access, which can come in several forms," said Microsoft senior director Jeff Jones in a statement quoted by Reuters and The Washington Post. "We have not identified any vulnerabilities or compromise of Microsoft product or cloud services,” Jones added.

In its post, CrowdStrike alerted customers that Microsoft had detected unusual behavior in CrowdStrike’s Azure cloud platform account and that “there was an attempt to read email, which failed.”

Representative Jim Langevin (Democrat-Rhode Island) said he was angry about the original intrusion linked to SolarWinds but added that the reality is "the Russians pulled off a highly targeted, complex and probably expensive cyberintrusion that was a sophisticated espionage operation."

The U.S. government's response could involve expelling diplomats or suspected spies, or imposing sanctions, Langevin said, according to The Washington Post.

SolarWinds on December 24 released an update to fix the vulnerabilities in its network management software following the discovery of a second set of hackers that had targeted the company.

The identity of the second set of hackers, or the degree to which they may have broken in remains unclear.