The US-based multinational tech giant Microsoft Corp’s inability to address identified issues with its cloud software enabled the major SolarWinds hack that compromised at least nine federal government agencies according to security experts and the office of U.S. Senator Ron Wyden.
A vulnerability first disclosed publicly by researchers in 2017 enables hackers to fake the identity of approved workers to gain access to customers’ cloud services. The technique was one of many used in the SolarWinds hack.
Mr. Wyden, who as a member of the Senate Intelligence Committee which criticized tech companies on security and privacy issues, blasted Microsoft for not doing more to deter or alert consumers about forged identities.
“The federal government spends billions on Microsoft software. It should be cautious about spending any more before we find out why the company didn’t warn the government about the hacking technique that the Russians used, which Microsoft had known about since at least 2017” Mr. Wyden points out.
U.S. officials have blamed Russia for the huge intelligence operation that infiltrated SolarWinds, which makes software to manage networks, as well as Microsoft and others, to steal data from many governments and around 100 other companies. But Russia denies liability.
A Microsoft lobbyist says the identity trick, known as Golden SAML, “had never been used in an actual attack” in a reaction to Mr. Wyden’s written questions on Feb. 10, and “was not prioritized as a concern by the intelligence community, nor was it flagged by civilian agencies”.
But the National Security Agency called for closer monitoring of identity services in a public advisory after the SolarWinds hack, on Dec. 17, adding “This SAML forgery technique has been identified and used by cyber actors since at least 2017”.
Microsoft President Mr. Brad Smith asserted that only about 15 percent of the victims in the SolarWinds campaign were harmed via SAML. Except, in those cases, the hackers had to have already gained access to systems before deploying the technique.
One of the major victims of the SolarWinds hack was the U.S. Treasury which lost emails from hundreds of officials.