SAN FRANCISCO (Reuters) – Microsoft Corp’s failure to fix known issues with its cloud software facilitated the massive SolarWinds hack that involved at least nine federal government agencies, according to security experts and the U.S. senator’s office Ron Wyden.
A vulnerability first publicly revealed by researchers in 2017 allows hackers to falsify the identities of employees authorized to access customer cloud services. The technique was one of many used in the SolarWinds cut.
Wyden, who has indicted tech companies on security and privacy issues as a member of the Senate Intelligence Committee, criticized Microsoft for doing nothing more to prevent fake identities or warn customers about it.
“The federal government spends billions on Microsoft software,” Wyden told Reuters ahead of a SolarWinds hearing Friday in the House of Representatives.
“We should be cautious when it comes to spending more before figuring out why the company did not warn the government about the piracy technique used by the Russians, which Microsoft has known about since at least 2017,” he said.
Microsoft President Brad Smith will testify Friday before the House committee investigating SolarWinds hacks.
U.S. officials have blamed Russia for the massive intelligence operation that penetrated SolarWinds, which makes software to manage networks, as well as Microsoft and others, to steal data from various governments and about 100 companies. Russia denies responsibility.
Microsoft disputed Wyden’s findings, telling Reuters that the design of its identity services was not to blame.
In response to questions written by Wyden on Feb. 10, a Microsoft lobbyist said the identity trick, known as the Golden SAML, “had never been used in an actual attack” and “the community of ‘intelligence did not prioritize it as a risk nor was it marked by civilian agencies. “
But in a public consultation following the hacking of SolarWinds on December 17, the National Security Agency called for stricter monitoring of identity services and noted: “This SAML counterfeiting technique is known and used by actors. cybernetics at least since 2017 “.
In response to additional questions from Wyden this week, Microsoft acknowledged that its programs were not configured to detect the theft of identity tools to grant access to the cloud.
Trey Herr, director of the Cyber Statecraft Initiative at Atlantic Council, said the failure showed that cloud security risks should be a higher priority.
Sophisticated hacker identity abuse “reveals a worrying weakness in the way cloud computing giants invest in security, perhaps unable to properly mitigate the risk of high-impact, low-probability failures in cloud systems. the root of their security model, ”Herr said.
In congressional testimony Tuesday, Microsoft’s Smith said only about 15 percent of the victims of the Solar Winds campaign were injured by Golden SAML. Even in these cases, hackers must have gained access to the systems before deploying the method.
But Wyden staff said one of those victims was the U.S. Treasury, which lost emails from dozens of officials.
Reports by Joseph Menn; edited by Jonathan Weber and Howard Goller