SolarWinds hacking campaign puts Microsoft in the hot seat

BOSTON — The sprawling hacking campaign deemed a grave threat to U.S. national security came to be known as SolarWinds, for the company whose software update was seeded by Russian intelligence agents with malware to penetrate sensitive government and private networks. The SolarWinds hackers took full advantage of what George Kurtz, CEO of top cybersecurity firm CrowdStrike, called “systematic weaknesses” in key elements of Microsoft code to mine at least nine U.S. government agencies — the departments of Justice and Treasury, among them — and more than 100 private companies and think tanks, including software and telecommunications providers. That set the hack apart as “a widespread intelligence coup.” In nearly every case of post-intrusion mischief, the intruders “silently moved through Microsoft products “vacuuming up emails and files from dozens of organizations.” Thanks in part to the carte blanche that victim networks granted the infected Solarwinds network management software in the form of administrative privileges, the intruders could move laterally across them, even jump among organizations. The campaign’s “hallmark” was the intruders’ ability to impersonate legitimate users and create counterfeit credentials that let them grab data stored remotely by Microsoft Office, the acting director of the Cybersecurity Infrastructure and Security Agency, Brandon Wales, told a mid-March congressional hearing. The OPM shared data across multiple agencies using Microsoft’s authentication architecture, granting access to more users than it safely should have, said Dukes, now the managing director for the nonprofit Center for Internet Security.