Written by Shannon Vavra
During the course of investigating the SolarWinds breach, CrowdStrike says Microsoft uncovered an attempt from unidentified hackers to read emails linked with the company.
The hackers failed in their attempt to breach CrowdStrike, Chief Technology Officer Michael Sentonas said in a blog post Wednesday. Microsoft researchers first found the attempt, Sentonas said.
Microsoft told CrowdStrike that “several months ago,” the Microsoft Azure account of a Microsoft reseller was making “abnormal calls” to Microsoft cloud application programming interfaces (APIs). The account managed Microsoft Office licenses for CrowdStrike.
The attackers tried to access emails, but, “as part of our secure IT architecture, CrowdStrike does not use Office 365 email,” Sentonas said.
“We have conducted an extensive review of our production and internal environments and found no impact,” Sentonas said. “CrowdStrike conducted a thorough review into not only our Azure environment, but all of our infrastructure for the indicators shared by Microsoft.”
It was unclear if the suspected Russian hackers behind SolarWinds breach, which has compromised FireEye, Microsoft and U.S. government agencies, have also targeted CrowdStrike.
It was also not clear what emails the hackers were interested in reading.
“Our investigation of recent attacks has found incidents involving abuse of credentials to gain access, which can come in several forms,” Jeff Jones, a senior director at Microsoft, told CyberScoop in a statement. “We have not identified any vulnerabilities or compromise of Microsoft product or cloud services.”
The FBI and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency did not immediately return requests for comment.
The National Security Agency, which previously issued an alert warning of how the SolarWinds hackers could exploit vulnerabilities, declined to comment.
The development comes weeks after the news first emerged of the SolarWinds breach, in which suspected Russian hackers backdoored software updates for the network management tool SolarWinds Orion. CrowdStrike’s revelations Thursday are a reminder that the fallout from the sweeping espionage operation may continue to grow. Just in the last week Microsoft, which itself acknowledged it had found some of the attackers’ malicious code in its systems, revealed that it had found a second hacking group that had deployed malware against SolarWinds.
CrowdStrike’s disclosure could reveal a new wrinkle to the story; Sentonas does not name the reseller, raising questions about how many other potential targets the SolarWinds hackers targeted through it, and whether any of those attempts were successful.
In a sign that responding to and investigating the SolarWinds operation will take extensive talent and resources, Sentonas said that in CrowdStrike’s followup probe into the incident, CrowdStrike found some of the process to be challenging with several overly burdensome steps.
“Throughout our analysis, we experienced first hand the difficulties customers face in managing Azure’s administrative tools to know what relationships and permissions exist within Azure tenants, particularly with third-party partner/resellers, and how to quickly enumerate them,” Sentonas wrote. “We found it particularly challenging that many of the steps required to investigate are not documented, there was an inability to audit via API, and there is the requirement for global admin rights to view important information which we found to be excessive. Key information should be easily accessible.”
By some estimates, the SolarWinds breach could impact thousands of organizations across the public and private sector. Already federal agencies, including the Departments of Commerce, State, Defense, Homeland Security and others, are reported to have been compromised.
The U.S. government’s investigation into the SolarWinds breach is ongoing. Just weeks ago the White House National Security Council initiated an emergency cyber incident response process to coordinate multiple agencies’ efforts to assess the damage from the espionage operation and next steps for possible responses.
Private sector companies are permitted to be involved in the NSC process, by definition. CrowdStrike did not immediately return request for comment on whether it has gotten involved in the NSC meetings.
Lawmakers have expressed concerns in recent days over whether impacted organizations are being forthcoming about the extent of the damages. The fact that the public learned of the SolarWinds breach because a private sector entity, FireEye, first uncovered it, has also raised alarm bells in Congress, leading many to question how the hackers could have sneaked past U.S. cyberdefenses and counterintelligence operations.
Multiple lawmakers have requested briefings on the espionage operation, including Chairman of the House Intelligence Committee, Rep. Adam Schiff, and Sens. Bob Menendez, D-N.J.; Richard Blumenthal, D-Conn.; Sherrod Brown, D-Ohio, and Ron Wyden, D-Ore.
Corrected, 12/24/20: An earlier version of this story misstated CrowdStrike’s attribution of the attempted intrusion. CrowdStrike’s blog post does not attribute it directly to the suspected SolarWinds hackers.