Politics SolarWinds hacking campaign puts Microsoft in the hot seat
Biden administration sets the stage for retaliation against Russia over SolarWinds, election interference: report
The Biden administration completed an intelligence review of alleged Russian meddling, setting the stage for retaliatory actions, Bloomberg reported.The review could set the stage for possible retaliatory actions like enacting sanctions or expulsion of Russian intel officers in the US, three people familiar with the matter told Bloomberg.
BOSTON (AP) — The sprawlingdeemed a grave threat to U.S. national security came to be known as SolarWinds, for the company whose software update was seeded by Russian intelligence agents with malware to penetrate sensitive government and private networks.
Yet it was Microsoft whose code the cyber spies persistently abused in the campaign's second stage, rifling through emails and other files of such high-value targets as then-acting Homeland Security chief Chad Wolf — and hopping undetected among victim networks.
Biden’s decision: How hard to punch back at Putin's hackers
The U.S. could 'turn the power off in Moscow,' one former U.S. official said. 'But that has so many dynamics in the wrong direction.'Well over 100 days later, his administration has yet to make it clear how hard it plans to punch back.
This has put the world’s third-most valuable company in the hot seat. Because its products are a de facto monoculture in government and industry — with more than 85% market share — federal lawmakers are insisting that Microsoft swiftly upgrade security to what they say it should have provided in the first place, and without fleecing taxpayers.
Seeking to assuage concerns, Microsoft this past week offered all federal agencies a year of “advanced” security features at no extra charge. But it also seeks to deflect blame, saying it is customers who do not always make security a priority.
Risks in Microsoft's foreign dealings also came into relief when the Biden administrationThursday on a half-dozen Russian IT companies it said support Kremlin hacking. Most prominent was Positive Technologies, which was among more than 80 companies that Microsoft has supplied with early access to data on vulnerabilities detected in its products. Following the sanctions announcement, Microsoft said Positive Tech was no longer in the program and removed its name from a list of participants on its website.
US set to sanction a dozen Russian individuals, 24 entities for influencing the 2020 election, SolarWinds hack
The US government may soon announce sanctions on Russian intelligence officials and companies, and expel diplomats from the country.The sanctions, which could be announced this week, are meant to punish these individuals and entities for their alleged role in tampering with the 2020 elections and the SolarWinds hack.
The SolarWinds hackers took full advantage of what George Kurtz, CEO of top cybersecurity firm CrowdStrike, called “systematic weaknesses” in key elements of Microsoft code to mine at least nine U.S. government agencies — the departments of Justice and Treasury, among them — and more than 100 private companies and think tanks, including software and telecommunications providers.
The SolarWinds hackers' abuse of Microsoft’s— which validates users' identities and grants them access to email, documents and other data — did the most dramatic harm, the nonpartisan Atlantic Council think tank said That set the hack apart as “a widespread intelligence coup.” In nearly every case of post-intrusion mischief, the intruders "silently moved through Microsoft products “vacuuming up emails and files from dozens of organizations.”
US pins SolarWinds cyberattack on Russian intelligence agency
The Biden administration is accusing Russia of carrying out the sweeping cyberattack on the U.S. government and American businesses through a SolarWinds Orion management software update. © Provided by Washington Examiner The Biden administration announced Thursday that the United States had "high confidence" that Russia's Foreign Intelligence Service (also known as SVR, APT 29, Cozy Bear, and the Dukes) was behind the expansive online intrusion. As part of sweeping sanctions against Russia for the espionage campaign and other aggressive cyberactivity against the U.S.
Thanks in part to the carte blanche that victim networks granted the infected Solarwinds network management software in the form of administrative privileges, the intruders could move laterally across them, even jump among organizations. They used it tothe cybersecurity firm Malwarebytes and to target customers of an email security company.
The campaign’s “hallmark” was the intruders’ ability to impersonate legitimate users and create counterfeit credentials that let them grab data stored remotely by Microsoft Office, the acting director of the Cybersecurity Infrastructure and Security Agency, Brandon Wales, told a mid-March congressional hearing. “It was all because they compromised those systems that manage trust and identity on networks,” he said.
Microsoft President Brad Smith told a February congressional hearing that just 15% of victims were compromised through an— allowing the intruders to impersonate authorized users by minting the rough equivalent of counterfeit passports.
Biden makes good on his promise to punish Russia for the massive SolarWinds hack
America has officially blamed the Russian government for the hack of multiple federal agencies.In an executive order issued April 15, President Biden levied a variety of economic sanctions against several Russian financial institutions, technology companies, and individuals designated as having participated in “harmful foreign activities,” including but not limited to the hack.
Microsoft officials stress that the SolarWinds update was not always the entry point; intruders sometimes took advantage of vulnerabilities such as weak passwords and victims’ lack of multi-factor authentication. But critics say the company took security too lightly. Sen. Ron Wyden, D-Ore., verbally pummeled Microsoft for not supplying federal agencies with a level of “event logging” that, if it had not detected the SolarWinds hacking in progress, would at least have provided responders with a record of where the intruders were and what they saw and removed.
“Microsoft chooses the default settings in the software it sells, and even though the company knew for years about the hacking technique used against U.S. government agencies, the company did not set default logging settings to capture information necessary to spot hacks in progress,” Wyden said. He was not the only federal lawmaker who complained.
When Microsoft on Wednesday announced afor which it normally charges a premium, Wyden was not appeased.
“This move is far short of what’s needed to make up for Microsoft’s recent failures,” he said in a statement. "The government still won’t have access to important security features without handing over even more money to the same company that created this cybersecurity sinkhole.”
Swinburne University confirms over 5,000 individuals affected in data breach
University confirms the personal information included in the breach contained names, email addresses, and phone numbers of some staff, students, and external parties had inadvertently made its way into the wild. © Image: Getty Images It said it was advised last month that information of around 5,200 Swinburne staff and 100 Swinburne students was available on the internet. This data, Swinburne said, was event registration information from multiple events from 2013 onwards. The event registration webpage is no longer available.
Rep. Jim Langevin, D-R.I., had pressed Smith in February on the security logging upsell, comparing it to making seat belts and air bags options in cars when they should be standard. He commended Microsoft for the one-year reprieve, but said a longer-term conversation is due about it “not being a profit center." He said "this buys us a year.”
Even the highest level of logging doesn't prevent break-ins, though. It only makes it easier to detect them.
And remember, many security professionals note, Microsoftby the SolarWinds intruders, who got access to some of its source code — its crown jewels. Microsoft’s full suite of security products — and some of the industry's most skilled cyber-defense practitioners — had failed to detect the ghost in the network. It was alerted to its own breach by FireEye, the cybersecurity firm that first detected the hacking campaign in mid-December.
The intruders in the unrelated hack of Microsoft Exchange email servers disclosed in March — blamed on Chinese spies — used wholly different infection methods. But they gained immediate high-level access to users' email and other info.
Across the industry, Microsoft’s investments in security are widely acknowledged. It is often first to identify major cybersecurity threats, its visibility into networks is so great. But many argue that as the chief supplier of security solutions for its products, it needs to be more mindful about how much it should profit off defense.
“The crux of it is that Microsoft is selling you the disease and the cure,” said Marc Maiffret, a cybersecurity veteran who built a career finding vulnerabilities in Microsoft products and has a new startup in the works called BinMave.
White House: Here's what we've learned from tackling the SolarWinds and Microsoft Exchange server cyber incidents
Partnerships with private companies in dealing with aftermath of cyber attacks "sets precedent for future engagements on significant cyber incidents"Lessons learned from responses to the SolarWinds and Microsoft Exchange cyber incidents will be used to coordinate action against future cybersecurity and hacking incidents, the White House has said.
Last month, Reuters reported that a $150 million payment to Microsoft for a “secure cloud platform” was included in a draft outline for spending the $650 million appropriated for the Cybersecurity and Infrastructure Security Agency in last month's $1.9 trillion pandemic relief act.
A Microsoft spokesperson would not say how much, if any, of that money it would be getting, referring the question to the cybersecurity agency. An agency spokesman, Scott McConnell, would not say either. Langevin said he didn't think a final decision has been made.
In the budget year ending in September, the federal government spent more than half a billion dollars on Microsoft software and services.
Many security experts believe Microsoft's single sign-on model, emphasizing user convenience over security, is ripe for retooling to reflect a world where state-backed hackers now routinely run roughshod over U.S. networks.
Alex Weinert, Microsoft's director of identity security, said it offersto what they need to do their jobs. But getting customers to go along can be difficult because it often means abandoning three decades of IT habit and disrupting business. Customers tend to configure too many accounts with the broad global administrative privileges that allowed the SolarWinds campaign abuses, he said. “It’s not the only way they can do it, that’s for sure.”
In 2014-2015, lax restrictions on access helped Chinese spies steal sensitive personal data on
Curtis Dukes was the National Security Agency's head of information assurance at the time.
The OPM shared data across multiple agencies using Microsoft's authentication architecture, granting access to more users than it safely should have, said Dukes, now the managing director for the nonprofit Center for Internet Security.
“People took their eye off the ball."
Top White House cyber official says action taken so far not enough to deter further Russia cyberattacks .
The White House's top official on the response to the massive SolarWinds hack says the sweeping measures announced by the Biden administration against Russia are unlikely on their own to prevent Moscow's malicious cyber activity against the US and did not dispute that the hackers responsible for the massive breach are still lurking on American networks. © Drew Angerer/Getty Images Expelling Russian hackers from US government networks and getting them to re-consider their malign behavior is going to take time, more comprehensive dialogue and fundamental changes to American cybersecurity, deputy national security adviser Anne Neuber