In a blog post Thursday, Microsoft President Brad Smith announced it had notified more than 40 customers of breaches due to the SolarWinds hack based on telemetry from its Defender antivirus, and argued for several policy solutions.
Later that day, the company confirmed it too had been affected by the SolarWinds fiasco, but clarified that neither customer data nor production systems showed evidence of being invaded.
The ongoing situation has seen a malicious update to the popular SolarWinds IT platform used to breach its customers, including several government customers and the security firm FireEye. Multiple reports indicate the hackers were the Russian espionage group APT 29.
In a tweet responding to a Reuters report it had been touched by the unfolding SolarWinds events, Microsoft's lead for communications shared the following statement:
Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious Solar Winds binaries in our environment, which we isolated and removed. We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others.
If the statement is correct, and production systems were not exposed, Microsoft's systems would seemingly not have been leveraged for use in their own supply chain attacks. A supply chain attack through Microsoft would turn an existing calamity into a cataclysmic event. Microsoft's operating systems, office software, video game platform, and cloud services are globally popular with more than a billion instances in use.
In the Microsoft blog post, Smith explained that Windows Defender had identified and notified several customers — more than 80 percent in the United States — they were likely victims of the breach.
Smith went on to suggest a three-point plan he believed would prevent further supply chain attacks: Increasing intelligence sharing between government agencies and the private sector, developing stronger international norms for acceptable behavior in cyberespionage, and finding harsher ways to hold governments accountable for large scale attacks.
Traditionally, norms and mechanisms for accountability beyond indictments may not apply. The U.S.'s stance about the norms of espionage is that information gathering campaigns are something that all countries — including the U.S. — are involved in, and turning up the heat to high on those would be both impossible to enforce and detremental to our own operations. When accountability would normally come into play would be after physical consequences, damage to critical infrastructure, intellectual property theft for commercial gain or harm to human wellbeing.