The suspected Russian hackers behind breaches at FireEye and U.S. government agencies have also targeted CrowdStrike, the cybersecurity company says.
The group that executed the broad SolarWinds operation failed in its attempt to breach CrowdStrike, Chief Technology Officer Michael Sentonas said in a blog post Wednesday. Microsoft researchers first found the attempt, Sentonas said.
Microsoft told CrowdStrike that “several months ago,” the Microsoft Azure account of a Microsoft reseller was making “abnormal calls” to Microsoft cloud application programming interfaces (APIs). The account managed Microsoft Office licenses for CrowdStrike.
The attackers tried to access emails, but Microsoft said the attempt was unsuccessful, according to CrowdStrike. “As part of our secure IT architecture, CrowdStrike does not use Office 365 email,” Sentonas said.
“We have conducted an extensive review of our production and internal environments and found no impact,” Sentonas said. “CrowdStrike conducted a thorough review into not only our Azure environment, but all of our infrastructure for the indicators shared by Microsoft.”
It was not clear what emails the hackers were interested in reading. CrowdStrike is the security firm that first attributed the 2016 breach of the Democratic National Committee to Russian government-linked hackers.
Microsoft did not immediately return request for comment. The FBI and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency did not immediately return requests for comment.
The National Security Agency, which previously issued an alert warning of how the SolarWinds hackers could exploit vulnerabilities, declined to comment.
The development comes weeks after the news first emerged of the SolarWinds breach, in which suspected Russian hackers backdoored software updates for the network management tool SolarWinds Orion. CrowdStrike’s revelations Thursday are a reminder that the fallout from the sweeping espionage operation is almost certainly going to continue to grow. Just in the last week Microsoft, which itself acknowledged it had found some of the attackers’ malicious code in its systems, revealed that it had found a second hacking group that had deployed malware against SolarWinds.
CrowdStrike’s disclosure could reveal a new wrinkle to the story; Sentonas does not name the reseller, raising questions about how many other potential targets the SolarWinds hackers targeted through it, and whether any of those attempts were successful.
In a sign that responding to and investigating the SolarWinds operation will take extensive talent and resources. Sentonas said that in CrowdStrike’s followup probe into the incident, CrowdStrike found some of the process to be challenging with several overly burdensome steps.
“Throughout our analysis, we experienced first hand the difficulties customers face in managing Azure’s administrative tools to know what relationships and permissions exist within Azure tenants, particularly with third-party partner/resellers, and how to quickly enumerate them,” Sentonas wrote. “We found it particularly challenging that many of the steps required to investigate are not documented, there was an inability to audit via API, and there is the requirement for global admin rights to view important information which we found to be excessive. Key information should be easily accessible.”
By some estimates, the SolarWinds breach could impact thousands of organizations across the public and private sector. Already federal agencies, including the Departments of Commerce, State, Defense, Homeland Security and others, are reported to have been compromised.
The U.S. government’s investigation into the SolarWinds breach is ongoing. Just weeks ago the White House National Security Council initiated an emergency cyber incident response process to coordinate multiple agencies’ efforts to assess the damage from the espionage operation and next steps for possible responses.
Private sector companies are permitted to be involved in the NSC process, by definition. CrowdStrike did not immediately return request for comment on whether it has gotten involved in the NSC meetings.
Lawmakers have expressed concerns in recent days over whether impacted organizations are being forthcoming about the extent of the damages. The fact that the public learned of the SolarWinds breach because a private sector entity, FireEye, first uncovered it, has also raised alarm bells in Congress, leading many to question how the hackers could have sneaked past U.S. cyberdefenses and counterintelligence operations.
Multiple lawmakers have requested briefings on the espionage operation, including Chairman of the House Intelligence Committee, Rep. Adam Schiff, and Sens. Bob Menendez, D-N.J.; Richard Blumenthal, D-Conn.; Sherrod Brown, D-Ohio, and Ron Wyden, D-Ore.
– Read More – CyberScoop