The Redmond, Washington company is a user of Orion, the
widely deployed networking management software from SolarWinds, which was used
in the suspected Russian attacks on vital US agencies and others.
Microsoft also had its own products leveraged to attack
victims, said people familiar with the matter.
"Like other SolarWinds customers, we have been actively
looking for indicators of this actor and can confirm that we detected malicious
Solar Winds binaries in our environment, which we isolated and removed," a
Microsoft spokesperson said, adding that the company had found "no indications
that our systems were used to attack others."
One of the people familiar with the hacking spree said the
hackers made use of Microsoft cloud offerings while avoiding Microsoft's
corporate infrastructure.
Still, another person familiar with the matter said the
Department of Homeland Security (DHS) does not believe Microsoft was a key
avenue of fresh infection.
Both Microsoft and the DHS, which earlier on Thursday said
the hackers used multiple methods of entry, are continuing to investigate.
The FBI and other agencies have scheduled a classified
briefing for members of Congress Friday.
The US Energy Department also said it has evidence hackers
gained access to its networks as part of the campaign. Politico had earlier
reported the National Nuclear Security Administration (NNSA), which manages the
country's nuclear weapons stockpile, was targeted.
An Energy Department spokeswoman said malware "has been
isolated to business networks only" and has not impacted US national
security, including the NNSA.
The DHS said in a bulletin on Thursday the hackers had used
other techniques besides corrupting updates of network management software by
SolarWinds which is used by hundreds of thousands of companies and government
agencies.
CISA urged investigators not to assume their organisations
were safe if they did not use recent versions of the SolarWinds software, while
also pointing out that the hackers did not exploit every network they gained
access too.
CISA said it was continuing to analyse the other avenues
used by the attackers. So far, the hackers are known to have at least monitored
email or other data within the US departments of Defense, State, Treasury,
Homeland Security, and Commerce.
As many as 18,000 Orion customers downloaded the updates
that contained a back door, SolarWinds has said. Since the campaign was
discovered, software companies have cut off communication from those back doors
to the computers maintained by the hackers.
But the attackers might have installed additional ways of
maintaining access, CISA said, in what some have called the biggest hack in a
decade.
The Department of Justice, FBI, and Defense Department,
among others, have moved routine communication onto classified networks that
are believed not to have been breached, according to two people briefed on the
measures. They are assuming that the non-classified networks have been
accessed, the people said.
CISA and private companies including FireEye, which was the
first to discover and reveal it had been hacked, have released a series of
clues for organisations to look for to see if they have been hit.
But the attackers are very careful and have deleted logs, or
electronic footprints or which files they have accessed, security experts said.
That makes it hard to know what has been taken.
Some major companies have said they have "no
evidence" that they were penetrated, but in some cases that may only be
because the evidence was removed.
In most networks, the attackers would also have been able to
create false data, but so far it appears they were interested only in obtaining
real data, people tracking the probes said.
Meanwhile, members of Congress are demanding more
information about what may have been taken and how, along with who was behind
it. The House Homeland Security Committee and Oversight Committee announced an
investigation Thursday, while senators pressed to learn whether individual tax
information was obtained.
In a statement, President-elect Joe Biden said he would
"elevate cybersecurity as an imperative across the government" and
"disrupt and deter our adversaries" from undertaking such major
hacks.
© Reuters