The massive hack against the US government also sent malicious computer code to Microsoft. However, the company says it neutralized the infection before any major damage was done.
Microsoft is a customer of SolarWinds, the IT provider the hackers exploited to send software updates to numerous US government agencies. “We have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries in our environment, which we isolated and removed,” the company said in a statement.
Microsoft added: “We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others.”
The statement pushes back against a Reuters report that claims the hackers behind the SolarWinds breach also infiltrated Microsoft and exploited its tool to hit other victims.
Nevertheless, US investigators have warned that the hackers behind the breach didn’t just stop at exploiting SolarWinds to spy on the US government. Evidence is emerging the culprits used a variety of tactics to infiltrate their targets, meaning the full scope of the breach is still unknown.
According to SolarWinds, around 18,000 customers received the malicious software updates, giving the hackers a backdoor into their networks. Nevertheless, the hackers were still selective in which SolarWinds customers they targeted. So far, the breach has ensnared several US government agencies including the Department of Energy and the National Nuclear Security Administration, which maintains the country's nuclear weapons stockpile.
On Thursday, Microsoft also revealed it’s been investigating the breach and trying to warn victims. “Microsoft has identified and has been working this week to notify more than 40 customers that the attackers targeted more precisely and compromised through additional and sophisticated measures,” Microsoft President Brad Smith wrote in a blog post.
Eighty percent of the notified victims are based in the US. However, 44% of them relate to the information technology sector. Only 18% have to do with the government.
Smith went on to describe the hack as an “attack on the United States and its government and other critical institutions." As a result, he's calling on both the US and the tech sector to spearhead "a strong and coordinated global cybersecurity response." The company refrained from naming names, though Smith notes Russia’s involvement in past hacks against the US.
According to The Washington Post, the US currently suspects the Russian state-sponsored hacking group known as Cozy Bear instigated the breach against SolarWinds. However, the Kremlin has denied any involvement.
On Friday, Russian antivirus company Kaspersky Lab weighed in on the hack and said the culprits were also interested in infiltrating an unnamed US telecommunication provider with over 6 million customers. "At the moment, there are no technical links with previous attacks, so it may be an entirely new actor, or a previously known one that evolved its TTPs (Tactics, Techniques, and Procedures) and opsec to the point that it can’t be linked anymore," the company added.