Report Cites Microsoft Negligence in Massive SolarWinds Hack

A new report says Microsoft’s cybersecurity negligence toward a high-severity flaw eventually led to the SolarWinds hack, one of the most impactful cyberattacks in U.S. history.

Former Microsoft employee Andrew Harris and independent journalism site ProPublica released the investigative research. Harris says he discovered a flaw in a Microsoft product, used by millions to log on to their work computers, that “could allow attackers to masquerade as legitimate employees and rummage through victims’ ‘crown jewels’ − national security secrets, corporate intellectual property, embarrassing personal emails − all without tripping alarms.”

Harris flagged the issue to his colleagues, “but they saw it differently,” according to the report.

“The federal government was preparing to make a massive investment in cloud computing, and Microsoft wanted the business,” it said. “Acknowledging this security flaw could jeopardize the company’s chances, Harris recalled one product leader telling him. The financial consequences were enormous. Not only could Microsoft lose a multibillion-dollar deal, but it could also lose the race to dominate the market for cloud computing.”

According to the ProPublica report, Harris pleaded with Microsoft to address the flaw for years, but it dismissed its warnings, telling him it would work on a long-term solution. He scrambled to alert some of Microsoft’s most sensitive customers, and eventually left the company frustrated with the inaction.

SolarWinds Hack Disclosed

Within months, it was confirmed that a state-sponsored team of Russian hackers had carried out the SolarWinds hack. The breach was disclosed in late 2020. The malicious hackers used the flaw Harris had identified to vacuum up sensitive data from a number of federal agencies.

Microsoft sent us the following statement:

“Protecting customers is always our highest priority. Our security response team takes all security issues seriously and gives every case due diligence with a thorough manual assessment, as well as cross-confirming with engineering and security partners. Our assessment of this issue received multiple reviews and was aligned with the industry consensus. Security assertion markup language (SAML) is an industry standard for authentication supporting the majority of authentication and multiple vendors' identity services today. There are not inherent vulnerabilities in that standard, and supporting SAML itself is not a vulnerability for identity services. Many customers use SAML as the industry-standard authentication protocol to delegate trust between systems. As with others across the industry, we continue to offer that functionality to our customers, while emphasizing the importance of securing the systems that are the root of that trust.”

Microsoft continued:

“We prioritize our security response work by considering potential customer disruption, exploitability and available mitigations. We continue to listen to the security research community and evolve our approach to ensure we are meeting customer expectations and protecting them from emerging threats. One example of this is our Secure Future Initiative commitments, which we launched in November to help prepare for increasing scale and seriousness of cyberattacks as our top priority.”

Concerning, But Not Entirely Surprising

Omri Weinberg, co-founder and chief revenue officer at DoControl, said this situation with Microsoft is “indeed concerning but not entirely surprising.”

DoControl's Omri Weinberg

“When profit motives take precedence over security, it creates significant vulnerabilities that can be exploited by sophisticated actors like nation-states,” he said. “The fallout from this could be substantial, impacting not only Microsoft’s reputation, but also the broader trust in cloud services and enterprise software providers. It’s a stark reminder for all organizations to rigorously evaluate the security measures of their technology partners, and insist on transparency and accountability in how they handle potential threats.”

John Bambenek, president of Bambenek Consulting, said the most immediate fallout will be an entire rethinking of the SolarWinds litigation. Last October, the U.S. Securities and Exchange Commission (SEC) charged SolarWinds and its CISO, Timothy G. Brown, with fraud and internal control failures in connection with the breach.

Bambenek Consulting's John Bambenek

“If I were facing SEC action, I would be immediately including these new revelations in my defense,” he said. “The fundamental issue is that business ethics require leaders to act first and foremost in the best interest of the shareholders. Unfortunately, when companies have cybersecurity breaches (with the exception of ransomware), the harm is felt by their customers, not the business itself. Doing the right thing from a cybersecurity perspective can be hard to overcome the mercenary capitalistic math of maximizing shareholder value.”