By Ellen Nakashima
Dec. 24, 2020
The Washington Post
Russian government hackers have compromised Microsoft cloud customers and stolen emails from at least one private-sector company, according to people familiar with the matter, a worrying development in Moscow’s ongoing cyber espionage campaign targeting numerous U.S. agencies and corporate computer networks.
The intrusions appear to have occurred via a Microsoft corporate partner that handles cloud-access services, those familiar with the matter said. They did not identify the partner or the company known to have had emails stolen. Like others, these people spoke on the condition of anonymity to discuss what remains a highly sensitive subject.
Microsoft hasn’t publicly commented on the intrusions. On Thursday, an executive with the tech giant sought to downplay the issue’s significance.
“Our investigation of recent attacks has found incidents involving abuse of credentials to gain access, which can come in several forms,” Jeff Jones, Microsoft’s senior director for communications, said. “We have still not identified any vulnerabilities or compromise of Microsoft product or cloud services.”
The troubling revelation comes several days after Microsoft’s president, Brad Smith, said the Fortune 500 company had not seen any customers breached through its services, including the vaunted Azure cloud platform used by governments, major corporations and universities worldwide.
“I think we can give you a blanket answer that affirmatively states, no, we are not aware of any customers being attacked through Microsoft’s cloud services or any of our other services, for that matter, by this hacker,” Smith told The Washington Post on Dec. 17.
Yet two days earlier, Microsoft notified the cybersecurity firm CrowdStrike of an issue with a third-party reseller that handles licensing for its Azure customers, according to a blog post CrowdStrike published Wednesday. In its post, CrowdStrike alerted customers that Microsoft had detected unusual behavior in CrowdStrike’s Azure account and that “there was an attempt to read email, which failed.” CrowdStrike does not use Microsoft’s email service. It did not link the tactic to Russia.
People familiar with the previously undisclosed email theft said it does not exploit any Microsoft vulnerability. The company itself was not hacked — only one of its partners, they said.
Nevertheless, the troubling development raises concerns about the extent of Microsoft’s disclosure obligations, cybersecurity experts said.
“If it’s true that a cloud service provider customer’s data has been exfiltrated and is in the hands of some threat actor, that’s a very serious situation,” said John Reed Stark, who runs a consulting firm and is former chief of the Securities and Exchange Commission’s Office of Internet Enforcement. “It should raise all sorts of alerts within that cloud provider that could trigger a litany of notification, remediation and disclosure requirements — both national and international.”
In a blog post last week, Microsoft stated it was notifying “more than 40 customers” that they had been breached. Some of them were compromised through the third party, people familiar with the matter said.
Specifically, the adversary hacked the reseller, stealing credentials that can be used to gain broad access to its customers’ Azure accounts. Once inside a particular customer’s account, the adversary had the ability to read — and steal — emails, among other information.
Microsoft began alerting private-sector clients to the issue last week. Jones said the company also informed the U.S. government last week “that some reseller partners were affected.” However, two individuals familiar with the matter said the government was not notified.
Microsoft itself has not publicly announced the reseller hack. By contrast, when the cybersecurity firm FireEye learned it had been breached through a software update, it disclosed the information. That software patch, from a company called SolarWinds, has been the path through which the Russians have compromised at least five major federal agencies in a major ongoing campaign that has U.S. officials working through the holidays.
SolarWinds has acknowledged the hack, calling it “very sophisticated.”
Microsoft’s Jones characterized the reseller issue as “a variation on what we’ve been seeing and not a major new vector.” He said: “Abuse of credentials has been a common theme that’s been reported as part of the tools, techniques and practices for this actor.”
Jones declined to answer questions about when the firm discovered the reseller compromise, how many customers the reseller has, how many were breached and whether the reseller was alerting its customers. “We have various agreements with people, and we won’t share specific information about our engagement with specific partners or customers,” he said.
The fact that the hackers breached a Microsoft partner may not absolve the firm of legal liability, experts said. When hackers stole more than 100 million credit card applications last year from a major bank’s cloud, which was provided by Amazon Web Services,
customers sued the bank and AWS. In September, a federal judge denied Amazon’s motion to dismiss, saying its “negligent conduct” probably “made the attack possible.”
Said Stark: “Just because a cloud provider denies liability does not necessarily mean the provider is off the hook.”
The investigation has now become the top priority for Gen. Paul Nakasone, who heads both the National Security Agency and the military’s U.S. Cyber Command. Developing a coherent, unified picture of the extent of the breaches has been difficult because neither the NSA nor the Department of Homeland Security nor the FBI has the legal or jurisdictional authority to know where all the compromises are.
Nakasone’s challenge, as one U.S. official put it, is “he’s expected to know how all the dots are connected, but he doesn’t know how many dots there are or where they all are.”
Some of that inability is caused by federal contracting rules to protect agency privacy, Microsoft’s Smith said. In his interview last week, he said the company was the first to alert several federal agencies to the breaches that had taken place through the SolarWinds update. But, he said, the company was barred by federal contract from sharing that information outside of the agency affected.
“In many instances, because of the confidentiality restrictions that are placed on us by federal contracts, we would have to go to the government and say, ‘We have found another federal agency. We can’t tell you who they are, but we are asking them to call you,” he said.
U.S. government and private-sector sources now say the total number of victims — of agencies and companies that have seen data stolen — is likely to be at most in the low hundreds, not in the thousands as previously feared. But even one major agency hack is significant.
Several years ago, Chinese government hackers compromised the Office of Personnel Management, exposing the records of more than 22 million federal workers and their families.
Then as now, the breaches were seen as acts of espionage. There was no evidence of network disruption or destruction, or of efforts to use the stolen goods in, say, an operation to interfere in an election or run a disinformation campaign.
The Russian effort is not an act of war, U.S. officials say.
“I want a throat to choke on this thing — I’m angry that they got us, but the reality is the Russians pulled off a highly targeted, complex and probably expensive cyber intrusion that was a sophisticated espionage operation,” said Rep. Jim Langevin (D-R.I.), a member of the House Armed Services Committee who co-chairs the Congressional Cybersecurity Caucus.
The breaches are akin to the Russians placing moles in multiple places in high levels of the government, Langevin said, adding that the U.S. government should respond as it would to a physical espionage campaign. “We could expel diplomats or suspected spies, or perhaps impose sanctions,” he said. “But we also want to be careful that we don’t destabilize the Internet or our own espionage operations.”
Ellen Nakashima is a two-time Pulitzer Prize-winning reporter covering intelligence and national security matters for The Washington Post. She joined The Post in 1995 and is based in Washington, D.C.