Security Market Segment LS
Tuesday, 16 February 2021 11:18

What role did Microsoft play in the SolarWinds supply chain attack?

What role did Microsoft play in the SolarWinds supply chain attack? Pixabay

ANALYSIS The assertion by Microsoft President Brad Smith during a 60 Minutes interview with CBS on Sunday that the supply chain attack revealed by security firm FireEye in December was "the largest and most sophisticated attack the world has ever seen" has once again raised the question of the extent to which Microsoft was involved in this attack.

Smith said: “I think from a software engineering perspective, it’s probably fair to say that this is the largest and most sophisticated attack the world has ever seen."

And he added: "When we analysed everything that we saw at Microsoft, we asked ourselves how many engineers have probably worked on these attacks. And the answer we came to was, well, certainly more than 1000.”

A number of researchers chimed in with their comments on this claim, with former Tor Project member Runa Sandvik tweeting: "Saying 1000 engineers worked on the attack is like saying 1000 journalists worked on today’s front page story. Details like org structure, roles and responsibilities matter."

Microsoft's statements about this incident have been, well, curious. When the first reports of its being affected by the SolarWinds breach surfaced, Smith was quick to deny any compromise, saying "We have no indication of this." But the company soon had to backtrack on that.

On 31 December, Microsoft announced that the attackers had accessed its source code, but brushed it away by saying: "At Microsoft, we have an inner source approach — the use of open source software development best practices and an open source-like culture — to making source code viewable within Microsoft." No mention was made of what source code had been accessed.

On 13 January, email security provider Mimecast issued a statement saying a certificate it used for its Microsoft 365 connection had been compromised.

The same day, attackers who claimed to be behind the attacks started offering stolen Windows source code for sale.

A day later, a small Israeli firm, Cycode, poked a big hole in Microsoft's argument, pointing out that the lack of timing and detail in Microsoft's announcement about its source code being accessed could only mean that this was bad news.

And this company's vice-president of marketing, Andrew Fife, had some sober words to offer, saying his firm was rooting for Microsoft. "Not only is it the right thing to do, but what other choice do any of us really have? The consequences of a widespread Microsoft supply chain attack could necessitate an Internet 'shelter in place order'. We hope this is the final chapter of Microsoft's breach, but we fear it may have been reconnaissance for the next bigger operation."

Since then, there has been silence about the attack, even though it is now more than two months since FireEye first told the world that its Red Team tools had been stolen. Five days after that announcement, details of SolarWinds involvement, through a compromise of the update chain for its Orion network management software, were revealed by FireEye.

It's surprising that there has been no definitive claim about who was behind the attacks as yet. The bog standard accusation of Russia being behind it all has been flung about by the usual scaremongers, but such people — like Ellen Nakashima of The Washington Post — are known for making flaky claims.

This has led to speculation that Microsoft's software is much more at the centre of the the hack, apart from being the host operating system for Orion.

It is well known that many US Government software packages, even in sensitive areas like Defence, still run on ancient versions of Windows like XP. Given that, and the overwhelming preponderance of Windows in businesses and also homes, and its less-than-stellar security record, Redmond's involvement in this supply chain attack could well end up being much bigger than we know at present.

Read 2797 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


The past year has seen a meteoric rise in ransomware incidents worldwide.

Over the past 12 months, SonicWall Capture Labs threat researchers have diligently tracked the meteoric rise in cyberattacks, as well as trends and activity across all threat vectors, including:

Encrypted threats
IoT malware
Zero-day attacks and more

These exclusive findings are now available via the 2022 SonicWall Cyber Threat Report, which ensures SMBs, government agencies, enterprises and other organizations have the actionable threat intelligence needed to combat the rising tide of cybercrime.

Click the button below to get the report.



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News