9 Things to Know About Microsoft’s Role in SolarWinds Hack – ProPublica
Investigative Journalism in the Public Interest
ProPublica is a nonprofit newsroom that investigates abuses of power. Sign up to receive our biggest stories as soon as they’re published.
After Russian hackers exploited a flaw in a widely used Microsoft product during one of the largest cyberattacks in U.S. history, the software giant downplayed its culpability. However, a recent ProPublica investigation revealed that a whistleblower within Microsoft’s ranks had repeatedly attempted to convince the company to address the weakness years before the hack — and that the company rebuffed his concerns at every step.
Here are the key things you need to know about that whistleblower’s efforts and Microsoft’s inaction.
In 2016, while researching an attack on a major tech company, Microsoft engineer Andrew Harris said he discovered a flaw in the company’s Active Directory Federation Services, a product that allowed users to sign on a single time for nearly everything they needed. As a result of the weakness, millions of users — including federal employees — were left exposed to hackers.
The Microsoft Security Response Center determines which reported security flaws need to be addressed. Harris said he told the MSRC about the flaw, but it decided to take no action. The MSRC argued that, because hackers would already need access to an organization’s on-premises servers before they could take advantage of the flaw, it didn’t cross a so-called “security boundary.” Former MSRC members told ProPublica that the center routinely rejected reports of weaknesses using this term, even though it had no formal definition at the time.
Following the MSRC’s decision, Harris escalated the issue to Microsoft product leaders who, he said, “violently agreed with me that this is a huge issue.” But, at the same time, they “violently disagreed with me that we should move quickly to fix it.”
Harris had proposed the temporary solution of suggesting that customers turn off the seamless single sign-on function. That move would eliminate the threat but result in users needing to log on twice instead of once. A product manager argued that it wasn’t a viable option because it risked alienating federal government customers and undermined Microsoft’s strategy to marginalize a top competitor.
At the time Harris was trying to convince Microsoft product leaders to address the flaw, the federal government was preparing to make a massive investment in cloud computing, and Microsoft wanted the business. Acknowledging this security flaw could jeopardize the company’s chances, Harris recalled one product leader telling him.
Subscribe to the Big Story newsletter.
Thanks for signing up. If you like our stories, mind sharing this with a friend?
For more ways to keep up, be sure to check out the rest of our newsletters.
Defend the facts. Support independent journalism by donating to ProPublica.
In 2018, a colleague of Harris’ pointed out how hackers could also bypass a common security feature called multifactor authentication, which requires users to perform one or more additional steps to verify their identity, such as entering a code sent via text message.
Their discovery meant that, no matter how many additional security steps a company puts in place, a hacker could bypass them all.
When the colleagues brought this new information to the MSRC, “it was a nonstarter,” Harris said.
In November 2017, cybersecurity firm CyberArk published a blog post detailing the same flaw Harris had identified.
Microsoft would later claim this blog post was the first time it had learned of the issue, but researchers at CyberArk told ProPublica they had reached out to Microsoft staff at least twice before publication.
Later, in 2019, cybersecurity firm Mandiant would publicly demonstrate at a cybersecurity conference how hackers could exploit the flaw to gain access to victims’ cloud services. The firm said it had given Microsoft advance notice of its findings.
Within months of Harris leaving Microsoft in 2020, his fears became reality. U.S. officials confirmed reports that a state-sponsored team of Russian hackers used the flaw in the SolarWinds hack. Exploiting the weakness, hackers vacuumed up sensitive data from a number of federal agencies, including, ProPublica learned, the National Nuclear Security Administration, which maintains the United States’ nuclear weapons stockpile. The Russians also used the weakness to compromise dozens of email accounts in the Treasury Department, including those of its highest-ranking officials.
Microsoft President Brad Smith assured Congress in 2021 that “there was no vulnerability in any Microsoft product or service that was exploited” in SolarWinds, and he said customers could have taken more steps to secure their systems.
When asked what Microsoft had done to address the flaw in the years before the attack, Smith responded by listing a handful of steps that customers could have taken to protect themselves. His suggestions included purchasing an antivirus product like Microsoft Defender and securing devices with another Microsoft product called Intune.
Hours after the ProPublica investigation was published, Microsoft’s Smith appeared before the House Homeland Security Committee to discuss his company’s cybersecurity failures.
Rep. Seth Magaziner, D-R.I., asked Smith about his prior congressional testimony, in which he said that Microsoft had first learned about this weakness in November 2017 from the CyberArk blog post. ProPublica’s investigation, Magaziner noted, found that Harris had raised it even earlier, only to be ignored. The lawmaker asked Smith if his prior testimony was incorrect.
Smith demurred, saying he hadn’t read the story. “I was at the White House this morning,” he told the panel.
He also complained that ProPublica’s investigation was published the day of the hearing and said that he’d know more about it “a week from now.”
However, ProPublica had sent detailed questions to Microsoft nearly two weeks before the story was published and had requested an interview with Smith. The company declined to make him available. Instead, Microsoft had issued a statement in response. “Protecting customers is always our highest priority,” a spokesperson said. “Our security response team takes all security issues seriously and gives every case due diligence with a thorough manual assessment, as well as cross-confirming with engineering and security partners. Our assessment of this issue received multiple reviews and was aligned with the industry consensus.”
Read More
Filed under —
ProPublica is an independent, nonprofit newsroom that produces investigative journalism with moral force. Learn more.
Former employee says software giant dismissed his warnings about a critical flaw because it feared losing government business. Russian hackers later used the weakness to breach the National Nuclear Security Administration, among others.
by Renee Dudley, with research by Doris Burke,
With the gutting of content moderation initiatives at X, accounts with blue checks, once a sign of authenticity, are disseminating debunked claims and gaining more followers. Community Notes, X’s fact-checking system, hasn’t scaled sufficiently.
by Jeff Kao, ProPublica, and Priyanjana Bengani, Tow Center for Digital Journalism,
A growing number of casinos in Cambodia, Laos and Myanmar are engaging in large-scale money laundering, facilitating cyberfraud that is costing victims in America and abroad billions of dollars, according to new research by the United Nations.
by Cezary Podkul,
Recent cyberattacks in the U.S. might have been detected sooner if infected computers had logging software, a feature in premium Microsoft licenses. Former National Cyber Director Chris Inglis says this type of security should already be built in.
by Renee Dudley,
In previously unreported videos from a closed-door Teneo Network conference, Florida's Republican governor takes his anti-big tech rhetoric beyond what he has said publicly.
by Andy Kroll, ProPublica, and Nick Surgey, Documented,
ProPublica recently examined how the federal government, based on quarter-century-old standards, denies that cellphones pose any risks. This guide answers some of the most common questions people ask about cellphone radiation.
by Peter Elkind,
The inside story of how Leonard Leo built a machine that remade the American legal system — and what he plans to do next.
by Andy Kroll, Andrea Bernstein and Ilya Marritz, illustrations by Nate Sweitzer for ProPublica,
The Biden administration said officials historically gave “little, if any, consideration” to impacts on tribal fishing.
by Tony Schick, Oregon Public Broadcasting,
Local Reporting Network
The plastics industry has heralded a type of chemical recycling it claims could replace new shopping bags and candy wrappers with old ones — but not much is being recycled at all, and this method won’t curb the crisis.
by Lisa Song, illustrations by Max Guther, special to ProPublica,
Three young academics in Alabama are examining these mostly white private schools through the lenses of economics, education and history to better understand the persistent division of schools in the South.
by Jennifer Berry Hawes,
Decades ago, Kris Hansen showed 3M that its PFAS chemicals were in people’s bodies. Her bosses halted her work.
by Sharon Lerner, photography by Haruka Sakaguchi, special to ProPublica,
© Copyright 2024 Pro Publica Inc.
Creative Commons License (CC BY-NC-ND 3.0)
Thank you for your interest in republishing this story. You are free to republish it so long as you do the following:
undefined
This article was autogenerated from a news feed from CDO TIMES selected high quality news and research sources. There was no editorial review conducted beyond that by CDO TIMES staff. Need help with any of the topics in our articles? Schedule your free CDO TIMES Tech Navigator call today to stay ahead of the curve and gain insider advantages to propel your business!
ProPublica is a nonprofit newsroom that investigates abuses of power. Sign up to receive our biggest stories as soon as they’re published.
After Russian hackers exploited a flaw in a widely used Microsoft product during one of the largest cyberattacks in U.S. history, the software giant downplayed its culpability. However, a recent ProPublica investigation revealed that a whistleblower within Microsoft’s ranks had repeatedly attempted to convince the company to address the weakness years before the hack — and that the company rebuffed his concerns at every step.
Here are the key things you need to know about that whistleblower’s efforts and Microsoft’s inaction.
In 2016, while researching an attack on a major tech company, Microsoft engineer Andrew Harris said he discovered a flaw in the company’s Active Directory Federation Services, a product that allowed users to sign on a single time for nearly everything they needed. As a result of the weakness, millions of users — including federal employees — were left exposed to hackers.
The Microsoft Security Response Center determines which reported security flaws need to be addressed. Harris said he told the MSRC about the flaw, but it decided to take no action. The MSRC argued that, because hackers would already need access to an organization’s on-premises servers before they could take advantage of the flaw, it didn’t cross a so-called “security boundary.” Former MSRC members told ProPublica that the center routinely rejected reports of weaknesses using this term, even though it had no formal definition at the time.
Following the MSRC’s decision, Harris escalated the issue to Microsoft product leaders who, he said, “violently agreed with me that this is a huge issue.” But, at the same time, they “violently disagreed with me that we should move quickly to fix it.”
Harris had proposed the temporary solution of suggesting that customers turn off the seamless single sign-on function. That move would eliminate the threat but result in users needing to log on twice instead of once. A product manager argued that it wasn’t a viable option because it risked alienating federal government customers and undermined Microsoft’s strategy to marginalize a top competitor.
At the time Harris was trying to convince Microsoft product leaders to address the flaw, the federal government was preparing to make a massive investment in cloud computing, and Microsoft wanted the business. Acknowledging this security flaw could jeopardize the company’s chances, Harris recalled one product leader telling him.
Subscribe to the Big Story newsletter.
Thanks for signing up. If you like our stories, mind sharing this with a friend?
For more ways to keep up, be sure to check out the rest of our newsletters.
Defend the facts. Support independent journalism by donating to ProPublica.
In 2018, a colleague of Harris’ pointed out how hackers could also bypass a common security feature called multifactor authentication, which requires users to perform one or more additional steps to verify their identity, such as entering a code sent via text message.
Their discovery meant that, no matter how many additional security steps a company puts in place, a hacker could bypass them all.
When the colleagues brought this new information to the MSRC, “it was a nonstarter,” Harris said.
In November 2017, cybersecurity firm CyberArk published a blog post detailing the same flaw Harris had identified.
Microsoft would later claim this blog post was the first time it had learned of the issue, but researchers at CyberArk told ProPublica they had reached out to Microsoft staff at least twice before publication.
Later, in 2019, cybersecurity firm Mandiant would publicly demonstrate at a cybersecurity conference how hackers could exploit the flaw to gain access to victims’ cloud services. The firm said it had given Microsoft advance notice of its findings.
Within months of Harris leaving Microsoft in 2020, his fears became reality. U.S. officials confirmed reports that a state-sponsored team of Russian hackers used the flaw in the SolarWinds hack. Exploiting the weakness, hackers vacuumed up sensitive data from a number of federal agencies, including, ProPublica learned, the National Nuclear Security Administration, which maintains the United States’ nuclear weapons stockpile. The Russians also used the weakness to compromise dozens of email accounts in the Treasury Department, including those of its highest-ranking officials.
Microsoft President Brad Smith assured Congress in 2021 that “there was no vulnerability in any Microsoft product or service that was exploited” in SolarWinds, and he said customers could have taken more steps to secure their systems.
When asked what Microsoft had done to address the flaw in the years before the attack, Smith responded by listing a handful of steps that customers could have taken to protect themselves. His suggestions included purchasing an antivirus product like Microsoft Defender and securing devices with another Microsoft product called Intune.
Hours after the ProPublica investigation was published, Microsoft’s Smith appeared before the House Homeland Security Committee to discuss his company’s cybersecurity failures.
Rep. Seth Magaziner, D-R.I., asked Smith about his prior congressional testimony, in which he said that Microsoft had first learned about this weakness in November 2017 from the CyberArk blog post. ProPublica’s investigation, Magaziner noted, found that Harris had raised it even earlier, only to be ignored. The lawmaker asked Smith if his prior testimony was incorrect.
Smith demurred, saying he hadn’t read the story. “I was at the White House this morning,” he told the panel.
He also complained that ProPublica’s investigation was published the day of the hearing and said that he’d know more about it “a week from now.”
However, ProPublica had sent detailed questions to Microsoft nearly two weeks before the story was published and had requested an interview with Smith. The company declined to make him available. Instead, Microsoft had issued a statement in response. “Protecting customers is always our highest priority,” a spokesperson said. “Our security response team takes all security issues seriously and gives every case due diligence with a thorough manual assessment, as well as cross-confirming with engineering and security partners. Our assessment of this issue received multiple reviews and was aligned with the industry consensus.”
Read More
Filed under —
ProPublica is an independent, nonprofit newsroom that produces investigative journalism with moral force. Learn more.
Former employee says software giant dismissed his warnings about a critical flaw because it feared losing government business. Russian hackers later used the weakness to breach the National Nuclear Security Administration, among others.
by Renee Dudley, with research by Doris Burke,
With the gutting of content moderation initiatives at X, accounts with blue checks, once a sign of authenticity, are disseminating debunked claims and gaining more followers. Community Notes, X’s fact-checking system, hasn’t scaled sufficiently.
by Jeff Kao, ProPublica, and Priyanjana Bengani, Tow Center for Digital Journalism,
A growing number of casinos in Cambodia, Laos and Myanmar are engaging in large-scale money laundering, facilitating cyberfraud that is costing victims in America and abroad billions of dollars, according to new research by the United Nations.
by Cezary Podkul,
Recent cyberattacks in the U.S. might have been detected sooner if infected computers had logging software, a feature in premium Microsoft licenses. Former National Cyber Director Chris Inglis says this type of security should already be built in.
by Renee Dudley,
In previously unreported videos from a closed-door Teneo Network conference, Florida's Republican governor takes his anti-big tech rhetoric beyond what he has said publicly.
by Andy Kroll, ProPublica, and Nick Surgey, Documented,
ProPublica recently examined how the federal government, based on quarter-century-old standards, denies that cellphones pose any risks. This guide answers some of the most common questions people ask about cellphone radiation.
by Peter Elkind,
The inside story of how Leonard Leo built a machine that remade the American legal system — and what he plans to do next.
by Andy Kroll, Andrea Bernstein and Ilya Marritz, illustrations by Nate Sweitzer for ProPublica,
The Biden administration said officials historically gave “little, if any, consideration” to impacts on tribal fishing.
by Tony Schick, Oregon Public Broadcasting,
Local Reporting Network
The plastics industry has heralded a type of chemical recycling it claims could replace new shopping bags and candy wrappers with old ones — but not much is being recycled at all, and this method won’t curb the crisis.
by Lisa Song, illustrations by Max Guther, special to ProPublica,
Three young academics in Alabama are examining these mostly white private schools through the lenses of economics, education and history to better understand the persistent division of schools in the South.
by Jennifer Berry Hawes,
Decades ago, Kris Hansen showed 3M that its PFAS chemicals were in people’s bodies. Her bosses halted her work.
by Sharon Lerner, photography by Haruka Sakaguchi, special to ProPublica,
© Copyright 2024 Pro Publica Inc.
Creative Commons License (CC BY-NC-ND 3.0)
Thank you for your interest in republishing this story. You are free to republish it so long as you do the following:
undefined
This article was autogenerated from a news feed from CDO TIMES selected high quality news and research sources. There was no editorial review conducted beyond that by CDO TIMES staff. Need help with any of the topics in our articles? Schedule your free CDO TIMES Tech Navigator call today to stay ahead of the curve and gain insider advantages to propel your business!
