The supposedly Russian hackers behind the worst cyberattack in U.S. history in years used reseller access to Microsoft services to reach their targets, who were not using the compromised SolarWinds network management software.
SolarWinds updates to its Orion software were the known point of entry for the hackers. However, according to the security firm CrowdStrike, on Thursday, the hackers had gained access to the vendor that sold it Office licenses and then tried to use this to read CrowdStrike’s emails.
It did not specifically identify that the hackers were the same ones who compromised SolarWinds but people familiar with the CrowdStrike investigation said that they were.
CrowdStrike was lucky
CrowdStrike uses Office programs for word processing but not email. The attempt, which failed, was made months ago, and Microsoft pointed it out to CrowdStrike on December 15. CrowdStrike does not use SolarWinds and said that it did not find any impact from the attempt and did not name the reseller.
One of the people close to the investigation said that they got in using the seller’s access and tried to enable their privileges for emails to ‘read.’ If Office 365 was the email used, it would have been hacked.
Many of the Microsoft software licenses usually come from third parties and those vendors have almost constant access to client systems as products and employees are added.
Vigilance and worries
The customers need to be vigilant, according to Microsoft, which found that recent attacks involve credentials gained from several sources.
Microsoft Senior Director, Jeff Jones, said that Microsoft is yet to identify any vulnerabilities or compromise of Microsoft products or cloud services.
Using a Microsoft reseller brings up the question of how many ways the hackers can use to compromise whatever systems they target.