Microsoft has notified over 40 customers that they have been compromised by malicious SolarWinds updates as part of a massive suspected Russian cyber-espionage campaign.
The attacks, which the US government admitted to for the first time on Wednesday, are thought to have compromised numerous departments including the Treasury and commerce, health, energy and state departments, plus the National Nuclear Security Administration (NNSA).
A malicious SolarWinds Orion update is thought to have been a primary attack vector for the suspected Russian state group, with the vendor claiming as many as 18,000 customers could be affected.
However, the attackers are likely to have targeted far fewer to achieve their strategic objectives. Yesterday, Microsoft president Brad Smith revealed the firm has contacted over 40 customers “targeted more precisely and compromised through additional and sophisticated measures.”
These include governments (18%), NGOs (18%), contractors (9%) and IT companies (44%), although the number of targets is suspected to grow over the coming days and weeks.
“While roughly 80% of these customers are located in the United States, this work so far has also identified victims in seven additional countries,” Smith continued.
These are: Canada, Mexico, Belgium, Spain, the UK, Israel and the UAE.
“This is not ‘espionage as usual,’ even in the digital age. Instead, it represents an act of recklessness that created a serious technological vulnerability for the United States and the world. In effect, this is not just an attack on specific targets, but on the trust and reliability of the world’s critical infrastructure in order to advance one nation’s intelligence agency,” argued Smith.
“While the most recent attack appears to reflect a particular focus on the United States and many other democracies, it also provides a powerful reminder that people in virtually every country are at risk and need protection irrespective of the governments they live under.”
In fact, Microsoft itself was forced to admit that it was also caught up in the attack campaign.
“Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries in our environment, which we isolated and removed,” it noted in a statement.
“We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others.”
However, US security agency CISA has confirmed that the SolarWinds updates were not the only “initial access vectors” used in this campaign.