Microsoft Failed to Shore Up Defences That Could Have Limited SolarWinds Hack, US Senator Says

Microsoft President Brad Smith will testify before the US House committee investigating the SolarWinds hacks.

Advertisement
By Reuters | Updated: 26 February 2021 10:58 IST
Highlights
  • Microsoft disputed Wyden's conclusions
  • The SolarWinds hack operation was identified in December
  • US intelligence services said Russia was likely behind SolarWinds breach

Microsoft told that the design of its identity services was not at fault

Microsoft's failure to fix known problems with its cloud software facilitated the massive SolarWinds hack that compromised at least nine federal government agencies, according to security experts and the office of US Senator Ron Wyden.

A vulnerability first publicly revealed by researchers in 2017 allows hackers to fake the identity of authorized employees to gain access to customers' cloud services. The technique was one of many used in the SolarWinds hack.

Advertisement

Wyden, who has faulted tech companies on security and privacy issues as a member of the Senate Intelligence Committee, blasted Microsoft for not doing more to prevent forged identities or warn customers about it.

“The federal government spends billions on Microsoft software,” Wyden told Reuters ahead of a SolarWinds hearing on Friday in the House of Representatives.

Advertisement

“It should be cautious about spending any more before we find out why the company didn't warn the government about the hacking technique that the Russians used, which Microsoft had known about since at least 2017,” he said.

Microsoft President Brad Smith will testify on Friday before the House committee investigating the SolarWinds hacks.

Advertisement

US officials have blamed Russia for the massive intelligence operation that penetrated SolarWinds, which makes software to manage networks, as well as Microsoft and others, to steal data from multiple governments and about 100 companies. Russia denies responsibility.

Microsoft disputed Wyden's conclusions, telling Reuters that the design of its identity services was not at fault.

Advertisement

In a response to Wyden's written questions on February 10, a Microsoft lobbyist said the identity trick, known as Golden SAML, “had never been used in an actual attack” and “was not prioritised by the intelligence community as a risk, nor was it flagged by civilian agencies.”

But in a public advisory after the SolarWinds hack, on December 17, the National Security Agency called for closer monitoring of identity services, noting, “This SAML forgery technique has been known and used by cyber actors since at least 2017.”

In response to additional questions from Wyden this week, Microsoft acknowledged its programmes were not set up to detect the theft of identity tools for granting cloud access.

Trey Herr, director of the Cyber Statecraft Initiative at the Atlantic Council, said the failure showed cloud security risks should be a higher priority.

The hackers' sophisticated abuse of identities “exposes a concerning weakness in how cloud computing giants invest in security, perhaps failing to adequately mitigate the risk of high impact, low probability failures in systems at the root of their security model,” Herr said.

In congressional testimony on Tuesday, Microsoft's Smith said that only about 15 percent of the victims in the SolarWinds campaign were hurt via Golden SAML. Even in those cases the hackers had to have already gained access to systems before deploying the method.

But Wyden's staff said one of those victims was the US Treasury, which lost emails from dozens of officials.

© Thomson Reuters 2021


Is Samsung Galaxy S21+ the perfect flagship for most Indians? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts, Google Podcasts, or RSS, download the episode, or just hit the play button below.

Affiliate links may be automatically generated - see our ethics statement for details.
 

Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.

Further reading: Microsoft
Advertisement

Related Stories

Popular Mobile Brands
  1. Asics Gel-Kayano 33 Review
  2. Moto G77 Power With a 7,000mAh Battery Goes on Sale in India: See Offers
  3. Samsung Just Gave the Galaxy M47 5G a Substantial Price Hike in India
  4. Samsung Could Prioritise This Phone Over the Galaxy Z TriFold 2
  5. Here's When the Lava Virat V1 5G Will Launch in India
  6. These OnePlus Tablets Are Now More Expensive in India
  7. Tecno Camon 50 Ultra 5G India Launch Roundup: Launch Date, Expected Features
  1. Redmi Turbo 6 Series Chipset Details Leaked, Could Be Equipped With 10,000mAh Battery
  2. Bonzo Lend Hit by $9 Million Oracle Exploit on Hedera Network
  3. Samsung Galaxy Z TriFold 2 Could Be Delayed as Company Plans Slidable Phone's Debut, Tipster Claims
  4. TRAI Confirms 1600 and 140 Series Phone Numbers Cannot Be Tagged, Filtered
  5. Sony LinkBuds Clip Launched in India With Open-Ear Clip Design, Up to 37 Hours of Battery Life: Price, Features
  6. Assassin's Creed Black Flag Resynced Sells 2 Million Copies on Launch Day
  7. Google Pixel 11 Pro Fold Spotted in Pine Colourway Ahead of Made by Google Event
  8. Bitcoin Holds Near $63,000 Despite Renewed Geopolitical Tensions
  9. Moto G77 Power With 7,000mAh Battery, 50-Megapixel Camera Goes on Sale in India: Price, Offers
  10. OnePlus Pad Go 2, Pad Lite Price in India Increased Amid Ongoing RAM Shortage
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2026. All rights reserved.