SAN FRANCISCO (Reuters) – Microsoft Corp’s failure to fix known problems with its cloud software facilitated a massive SolarWinds hack that compromised at least nine federal government agencies, according to security experts and the office of US Senator Ron Wyden.
A vulnerability that researchers first disclosed publicly in 2017 allows hackers to spoof the identity of authorized employees to gain access to customer cloud services. The technique was one of many used in the SolarWinds hack.
Wyden, who has criticized technology companies on security and privacy issues as a member of the Senate Intelligence Committee, criticized Microsoft for not doing more to prevent spoofing identities or warning customers about it.
“The federal government spends billions on Microsoft software,” Wyden told Reuters before a SolarWinds hearing in the House of Representatives on Friday.
“You should be cautious about spending more before finding out why the company didn’t warn the government about the hacking technique the Russians used, which Microsoft had known about since at least 2017,” he said.
Microsoft Chairman Brad Smith will testify on Friday before the House committee investigating the attacks on SolarWinds.
US officials have blamed Russia for the massive intelligence operation that penetrated SolarWinds, which makes network management software, as well as Microsoft and others, to steal data from various governments and around 100 companies. Russia denies its responsibility.
Microsoft questioned Wyden’s conclusions, telling Reuters that the design of its identity services was not at fault.
In response to questions written by Wyden on February 10, a Microsoft lobbyist said that the identity hack, known as Golden SAML, “had never been used in an actual attack” and “was not prioritized by the intelligence community as a risk, nor was it identified by civil agencies. “
But in a public notice after the SolarWinds hack on December 17, the National Security Agency called for closer monitoring of identity services, noting: “This SAML spoofing technique has been known and used by cyber actors since at least 2017. “
In response to additional questions from Wyden this week, Microsoft acknowledged that its programs were not configured to detect theft of identity tools to grant access to the cloud.
Trey Herr, director of the Cyber Statecraft Initiative at the Atlantic Council, said the flaw showed that security risks in the cloud should be a higher priority.
Sophisticated identity abuse by hackers “exposes a worrisome weakness in the way the cloud computing giants invest in security, perhaps without adequately mitigating the risk of high-impact, low-probability flaws. systems at the root of their security model, “said Herr.
In testimony before Congress on Tuesday, Microsoft’s Smith said that only about 15% of the victims in the Solar Winds campaign were injured through Golden SAML. Even in those cases, the hackers had to have gained access to the systems before implementing the method.
But Wyden staff said one of those victims was the US Treasury, which lost emails from dozens of officials.
Reporting by Joseph Menn; edited by Jonathan Weber and Howard Goller