Microsoft Reseller Compromised In Newly Revealed Attempted Intrusion Blamed On
December 28, 2020
Suspected Russian hackers have compromised a customer of software giant
Microsoft through a reseller of Microsoft products, according to news reports on
December 24, raising more questions about a massive cyberattack on U.S.
government computer networks that came to light earlier this month.
The Microsoft customer is security company CrowdStrike Holdings, which said the
hackers had gained access to the reseller that sold it licenses to Microsoft
CrowdStrike did not identify the hackers as the same ones that compromised
SolarWinds, the company whose software was previously the only known point of
entry for the suspected Russian hackers believed to be behind the intrusion that
had been reported earlier.
But two people familiar with CrowdStrike's investigation told Reuters that the
same hackers were to blame.
Russia denied any responsibility for the hack into the SolarWinds network
management software that was used to allegedly gain access to multiple U.S.
The U.S. government's top cybersecurity agency last week issued an urgent
warning about the cyberattack, saying it posed a "grave risk" to computer
networks maintained by governments, utilities, and the private sector and was
ongoing and could be difficult to purge.
Until now, SolarWinds was the only publicly confirmed channel involved in the
cyberattack, but officials had warned that they believed hackers had other ways
CrowdStrike said it had found no impact from the intrusion attempt and declined
to name the reseller. CrowdStrike uses Office programs for word processing but
The hackers “got in through the reseller's access and tried to enable mail
'read' privileges," an unidentified person familiar with the investigation told
Reuters. The intrusion would have been more serious if CrowdStrike had been
using Office for e-mail, the person said.
Many Microsoft software licenses are sold through third parties, and the company
has said those customers need to be vigilant.
"Our investigation of recent attacks has found incidents involving abuse of
credentials to gain access, which can come in several forms," said Microsoft
senior director Jeff Jones in a statement quoted by Reuters and The Washington
Post. "We have not identified any vulnerabilities or compromise of Microsoft
product or cloud services,” Jones added.
In its post, CrowdStrike alerted customers that Microsoft had detected unusual
behavior in CrowdStrike’s Azure cloud platform account and that “there was an
attempt to read email, which failed.”
Jim Langevin (Democrat-Rhode Island) said he was angry about the original
intrusion linked to SolarWinds but added that the reality is "the Russians
pulled off a highly targeted, complex and probably expensive cyberintrusion that
was a sophisticated espionage operation."
The U.S. government's response could involve expelling diplomats or suspected
spies, or imposing sanctions, Langevin said, according to The Washington Post.
SolarWinds on December 24 released an update to fix the vulnerabilities in its
network management software following the discovery of a second set of hackers
that had targeted the company.
The identity of the second set of hackers, or the degree to which they may have
broken in remains unclear.