Microsoft President Brad Smith has said that the company has identified and notifying more than 40 customers who have been affected by nation-state hackers who installed malware in software firm SolarWinds Orion platform.
Cybersecurity firm FireEye’s CEO Kevin Mandia said earlier this week that “we are witnessing an attack by a nation with top-tier offensive capabilities,” and the Washington Post reported that a hacker group backed by the Russian government is behind data breaches at the Treasury and Commerce departments and other US government agencies.
According to Smith, the attack is ongoing and is being actively investigated and addressed by cybersecurity teams in the public and private sectors, including Microsoft.
“As our teams act as first responders to these attacks, these ongoing investigations reveal an attack that is remarkable for its scope, sophistication and impact,” he said in a blog post late on Thursday.
The hacking group, known as APT29, or Cozy Bear, is behind the attack on FireEye, accessing its internal network and stealing hacking tools the company uses to test the networks of its customers.
“While roughly 80 per cent of these customers are located in the United States, this work so far has also identified victims in seven additional countries,” Smith informed.
The countries are Canada, Mexico, Belgium, Spain, the UK, Israel and the UAE.
“We should all be prepared for stories about additional victims in the public sector and other enterprises and organisations,” Smith warned.
In a separate security advisory, SolarWinds had said the attack was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack.
As SolarWinds reported, the attackers installed their malware into an upgrade of the company’s Orion product that may have been installed by more than 17,000 customers.
The telemetry data from Microsoft’s Defender Anti-Virus software made it clear that the attack created a supply chain vulnerability of nearly global importance, reaching many major national capitals outside Russia.
“Microsoft has identified and has been working this week to notify more than 40 customers that the attackers targeted more precisely and compromised through additional and sophisticated measures,” Smith said.
The sophisticated nation-state attacks are increasingly being compounded by another technology trend, which is the opportunity to augment human capabilities with artificial intelligence (AI).
“One of the more chilling developments this year has been what appears to be new steps to use AI to weaponise large stolen datasets about individuals and spread targeted disinformation using text messages and encrypted messaging apps,” Smith stressed.
“We should all assume that, like the sophisticated attacks from Russia, this too will become a permanent part of the threat landscape”.
Microsoft said in a separate statement that it has been actively looking for indicators of this actor and can confirm that “we detected malicious SolarWinds binaries in our environment, which we isolated and removed”.
“We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others,” the company said.
If you have an interesting article / experience / case study to share, please get in touch with us at [email protected]