9 things you should know about Microsoft’s role in the SolarWinds hack — ProPublica

After Russian hackers exploited a vulnerability in a widely used Microsoft product in one of the largest cyberattacks in U.S. history, the software giant downplayed its culpability. But a recent investigation by ProPublica found that a whistleblower within Microsoft had repeatedly tried to persuade the company to fix the vulnerability years before the hack – and that the company had consistently dismissed his concerns.

Here are the key things you need to know about this whistleblower’s efforts and Microsoft’s inaction.

Years before the SolarWinds hack was discovered in 2020, a Microsoft engineer discovered a security vulnerability that these hackers eventually exploited.

In 2016, while investigating an attack on a major technology company, Microsoft engineer Andrew Harris discovered a flaw in the company’s Active Directory Federation Services, a product that required users to log in once to get almost everything they needed. This vulnerability left millions of users – including federal employees – defenseless against hackers.

Harris said the Microsoft team responsible for handling vulnerability reports dismissed his concerns.

The Microsoft Security Response Center determines which reported vulnerabilities need to be fixed. Harris said he informed the MRSC about the flaw, but it decided not to take action. The MSRC argued that hackers would already need access to an organization’s local servers before they could exploit the flaw, and that it therefore did not cross what it calls a “security boundary.” Former MSRC members told ProPublica that the center routinely dismissed reports of vulnerabilities under that term, even though there was no formal definition for it at the time.

Microsoft product managers also refused to fix the problem.

Following the MSRC’s decision, Harris escalated the issue to Microsoft’s product leaders, who “strongly agreed with him that this is a huge problem,” but “strongly disagreed that we should move quickly to fix it.”

Harris had suggested that as a temporary solution, customers should turn off the seamless single sign-on feature. This move would eliminate the threat, but would require users to sign in twice instead of once. A product manager argued that this was not a viable option, risking alienating federal government customers and undermining Microsoft’s strategy of marginalizing a top competitor.

Microsoft is also concerned that disclosure of the security flaw could harm its chances of winning future government contracts worth billions, Harris said.

As Harris tried to convince Microsoft product executives to fix the bug, the federal government was preparing a massive investment in cloud computing, and Microsoft wanted the business. Admitting this security flaw could jeopardize the company’s chances, Harris recalled one product executive saying.

Harris eventually determined that the bug was even worse than he had originally thought. Microsoft again chose not to take action, he said.

In 2018, a colleague of Harris’ pointed out that hackers could also bypass a common security feature called multifactor authentication, which requires users to take one or more additional steps to confirm their identity, such as entering a code sent via SMS.

Their discovery meant that a hacker could bypass any additional security measures, no matter how many a company puts in place.

When colleagues presented this new information to the MSRC, “it was a hopeless endeavor,” Harris said.

External researchers also warned the company about the vulnerability.

In November 2017, cybersecurity company CyberArk published a blog post describing the same flaw that Harris had identified.

Microsoft later claimed that the blog post was the first time the company learned about the issue, but researchers at CyberArk told ProPublica that they reached out to Microsoft officials at least twice before publishing the information.

Later, in 2019, cybersecurity firm Mandiant publicly demonstrated at a cybersecurity conference how hackers could exploit the vulnerability to gain access to victims’ cloud services. The company said it had informed Microsoft of its findings in advance.

Ultimately, Russian hackers exploited the very vulnerability that Harris and the others had identified.

A few months after Harris left Microsoft in 2020, his fears became reality. U.S. authorities confirmed reports that a state-sponsored team of Russian hackers had exploited the vulnerability in the SolarWinds hack. The hackers exploited the vulnerability and siphoned off sensitive data from a number of federal agencies, including, ProPublica learned, the National Nuclear Security Administration, which manages the U.S. nuclear weapons stockpile. The Russians also used the vulnerability to compromise dozens of email accounts at the Treasury Department, including those of the highest-ranking officials.

In congressional hearings following the SolarWinds attack, Microsoft’s president insisted that the company was not to blame.

Microsoft President Brad Smith assured Congress in 2021 that SolarWinds “did not identify a vulnerability in any Microsoft product or service that was exploited,” and he said customers could have taken more steps to secure their systems.

When asked what Microsoft did to fix the vulnerability in the years leading up to the attack, Smith responded by listing a handful of steps customers could have taken to protect themselves. His suggestions included purchasing an antivirus product like Microsoft Defender and securing devices with another Microsoft product called Intune.

After ProPublica published its investigation, lawmakers pressed Microsoft’s Smith to claim that his previous testimony to Congress was false.

Hours after the ProPublica investigation was published, Microsoft’s Smith appeared before the House Homeland Security Committee to discuss his company’s cybersecurity shortcomings.

Rep. Seth Magaziner, D-R.I., asked Smith about his previous testimony before Congress in which he said Microsoft first learned of the vulnerability in November 2017 through CyberArk’s blog post. ProPublica’s investigation, Magaziner said, found that Harris had raised the vulnerability even earlier, only to be ignored. The representative asked Smith if his previous statement was false.

Smith disagreed, saying he had not read the story. “I was at the White House this morning,” he told the panel.

He also complained that ProPublica’s investigation was not released until the day of the hearing and said he would know more about it “in a week.”

However, nearly two weeks before the article was published, ProPublica had sent detailed questions to Microsoft requesting an interview with Smith. The company declined to make him available. Instead, Microsoft issued a statement in response. “Protecting customers is always our highest priority,” a spokesperson said. “Our security team takes all security issues seriously and reviews each case with due diligence, conducting a thorough manual assessment and cross-confirming with engineering and security partners. Our assessment of this issue has been reviewed multiple times and was consistent with industry consensus.”