“We have found no indications that our systems were used to attack others,” the company said in a blog last Thursday attributed to the Microsoft security team. “Data hosted in Microsoft services (including email) were sometimes a post-compromise target of attack, but only after an attacker had gained privileged credentials in some other way.
In case you missed it:
“We’ve investigated each situation as we became aware of it and in each case, data hosted in Microsoft services (including email) were a target in the incident, but the attacker had gained privileged credentials in another way.”
In the Q&A style blog, the question was asked if Microsoft was an initial entry point for the Solorigate threat actor. The answer was “no.”
“In our investigations to date, data hosted in Microsoft services (including email) was sometimes a target in the incidents, but the attacker had gained privileged credentials in some other way,” the blog read. “From the beginning, we have said that we believe this is a sophisticated actor that has many tools in its toolkit, so it is not a surprise that a sophisticated actor would also use other methods to gain access to targets. In our investigations and through collaboration with our industry peers, we have confirmed several additional compromise techniques leveraged by the actor, including password spraying, spearphishing, use of webshell, through a web server, and delegated credentials.
In the SolarWinds incident attackers were able to compromise some updates last spring to the company’s Orion network management platform. That has raised questions about how the attackers initially got into SolarWinds’ environment. There were also reports that the same threat group that hit SolarWinds –dubbed UNC2452 by FireEye — also broke into other firms.
Microsoft’s possible role in Solorigate was in part raised by a statement SolarWinds put in a document to financial regulators which said “SolarWinds uses Microsoft Office 365 for its email and office productivity tools. SolarWinds was made aware of an attack vector that was used to compromise the company’s emails and may have provided access to other data contained in the Company’s office productivity tools.”
In response, the blog says that “we have investigated thoroughly and have found no evidence they were attacked via Office 365. The wording of the SolarWinds 8K filing was unfortunately ambiguous, leading to erroneous interpretation and speculation, which is not supported by the results of our investigation.”
It notes that in a column earlier this week, SolarWinds CEO Sudhakar Ramakrishna said that “we’re pursuing numerous theories but currently believe the most likely attack vectors came through a compromise of credentials and/or access through a third-party application via an at the time zero-day vulnerability.
“While we’ve confirmed suspicious activity related to our Office 365 environment, our investigation has not identified a specific vulnerability in Office 365 that would have allowed the threat actor to enter our environment through Office 365. We’ve confirmed that a SolarWinds email account was compromised and used to programmatically access accounts of targeted SolarWinds personnel in business and technical roles. By compromising credentials of SolarWinds employees, the threat actors were able to gain access to and exploit our Orion development environment.”
UPDATE: Ramakrishna told the Wall Street Journal that attackers had access to at least one SolarWinds employee’s email account as far back as December 2019. That led to the compromise of other accounts. According to a chronology, in September 2019, the attackers (dubbed UNC2452 by FireEye and Dark Halo by Volexity) started accessing the SolarWinds infrastructure and injecting test code into Orion builds.