Microsoft denies that Microsoft 365 was compromised by hackers

Earlier, the U.S. Department of Commerce and the subordinate departments of the U.S. Treasury Department were attacked by malicious software. It is reported that the attackers have been lurking for several months and monitoring email communications within the departments.

In the initial report, Reuters stated that both the U.S. Department of Commerce and the Treasury Department use Microsoft 365, and the attacker seems to have used some kind of manual authentication to breach Microsoft 365.

This is unacceptable to Microsoft. The company believes that Microsoft 365 government and enterprise services are invincible and unlikely to be penetrated by hackers without warning.

In fact, it is true. After preliminary investigations, it is found that the enterprise-level systems and information management software provided by the American Solarwind Company are the real springboard for hackers.

 

ICS Attack Framework “TRITON”

Some government agencies in the United States use products provided by Solarwind, and hackers have penetrated into Solarwind’s intranet in advance and then completed this targeted attack.

After investigation, SolarWinds Company updated version 2019.4 and version 2020.2.1 from March to June 2020. These versions all contain malware named SUNBURST.

After the malware is installed on the computer, it will sleep for 12 to 14 days. After that, it will wake up and contact the C&C server domain name.

Therefore, this is not a national-level hacker successfully hacking into the Microsoft 365 service. In fact, Microsoft stated that the company’s authentication system has not been compromised.

This type of attack is called a supply chain attack. The upper-level supply chain system carries malware to the target. The CCleaner incident was a supply chain attack before.

Although the investigation has not been authorized by the court, Microsoft has seized the core servers and domain names used by the attackers through its technology alliance partners.

Because in accordance with the user agreement of the domain name and server provider, users are not allowed to rent and purchase servers and domain names for network attacks and other acts that violate local laws.

After the violation occurs, the provider has the right to deal with the server and domain name, so the provider chose to hand over the relevant infrastructure to Microsoft for investigation.

Relevant people said that this is a protective work, the purpose is to prevent these national-level hackers from continuing to use these servers and domain names to monitor the victims.

But for now, Microsoft has not released a further investigation report, but now all levels of government departments in the United States are investigating to ensure that they are not infected with malware.