Russians Are Believed To Have Used Microsoft Resellers in Cyberattacks

As the United States comes to grips with a far-reaching Russian cyberattack on federal agencies, private corporations and the nation’s infrastructure, new evidence has emerged that the hackers hunted their victims through multiple channels. From a report: The most significant intrusions discovered so far piggybacked on software from SolarWinds, the Austin-based company whose updates the Russians compromised. But new evidence from the security firm CrowdStrike suggests that companies that sell software on Microsoft’s behalf were also used to break into customers of Microsoft’s Office 365 software. Because resellers are often entrusted to set up and maintain clients’ software, they — like SolarWinds — have been an ideal front for Russian hackers and a nightmare for Microsoft’s cloud customers, who are still assessing just how deep into their systems Russia’s hackers have crawled. “They couldn’t get into Microsoft 365 directly, so they targeted the weakest point in the supply chain: the resellers,” said Glenn Chisholm, a founder of Obsidian, a cybersecurity firm.

CrowdStrike confirmed Wednesday that it was also a target of the attack. In CrowdStrike’s case, the Russians did not use SolarWinds but a Microsoft reseller, and the attack was unsuccessful. A CrowdStrike spokeswoman, Ilina Dimitrova, declined to elaborate beyond a company blog post describing the attempted attack. The approach is not unlike the 2013 attack on Target in which hackers got in through the retailer’s heating and cooling vendor. The latest Russian attacks, which are thought to have begun last spring, have exposed a substantial blind spot in the software supply chain. Companies can track phishing attacks and malware all they want, but as long as they are blindly trusting vendors and cloud services like Microsoft, Salesforce Google’s G-Suite, Zoom, Slack, SolarWinds and others — and giving them broad access to employee email and corporate networks — they will never be secure, cybersecurity experts say. “These cloud services create a web of interconnections and opportunity for the attacker,” Mr. Chisholm said. “What we are witnessing now is a new wave of modern attacks against these modern cloud platforms, and we need 2021 defenses.” Some reports have confused the latest development with a breach of Microsoft itself. But the company said it stood by its statement last week that it was not hacked, nor was it used to attack customers.