Microsoft says it was hit by the SolarWinds cyberattack but has not found evidence its products or customer data were affected

Microsoft says it was hit by the SolarWinds cyberattack but has not found evidence its products or customer data were affected
Microsoft's CEO Satya NadellaTobias Schwarz/Getty Images
  • Microsoft on Thursday said it was hit by the sweeping SolarWinds cybersecurity hack, but the company denied a Reuters report indicating its products and services may have been compromised.
  • Reuters reported that Microsoft's services may have been subverted by the attackers in a way that would make the tech titan's customers vulnerable. "We believe the sources for the Reuters report are misinformed or misinterpreting their information, Microsoft said.
  • Microsoft did confirm that it found and removed elements of the SolarWind hack from its system.
  • Government agencies and companies have been discovering the apparent nation-state attack this week, including reports that the Department of Energy was affected.

Microsoft on Thursday said its systems had been affected by the SolarWinds hack but denied a report that its services had been subverted to compromise the tech titan's customers.

Reuters reported earlier Thursday that Microsoft was swept up in the sweeping SolarWinds cyberattack, making its systems vulnerable to bad actors. Furthermore, Reuters said the company's products had been compromised by the attackers, potentially putting customers of Microsoft products like Office 365 or Azure at risk.

In response, Microsoft confirmed it was affected by the sweeping supply-chain cybersecurity attack stemming from SolarWinds IT software - but categorically denied that customer data or its own products were at risk. "We believe the sources for the Reuters report are misinformed or misinterpreting their information," the company told Business Insider in a statement.

Complimentary Tech Event
Transform talent with learning that works
Capability development is critical for businesses who want to push the envelope of innovation.Discover how business leaders are strategizing around building talent capabilities and empowering employee transformation.Know More

"Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries in our environment, which we isolated and removed," the Microsoft spokesman Frank Shaw said in an additional statement Thursday afternoon. "We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others."

In a lengthy blog post published Thursday evening, Microsoft's president, Brad Smith, wrote that SolarWinds "is effectively an attack on the United States" and "provides a moment of reckoning." Smith called for "more effective and collaborative leadership by the government and the tech sector."


Microsoft also reiterated what it said in a blog post Sunday: "We also want to reassure our customers that we have not identified any Microsoft product or cloud service vulnerabilities in these investigations." In that same Sunday statement, the company said it was "also actively looking for indicators in the Microsoft environment and, to date, have not found evidence of a successful attack."

Earlier Thursday, the Cybersecurity and Infrastructure Security Agency, the nation's top cybersecurity agency, said in an alert that another cybersecurity company found evidence that the hackers found a way to bypass an authentication tool to access Microsoft's Outlook email app.

"Volexity has also reported publicly that they observed the APT using a secret key that the APT previously stole in order to generate a cookie to bypass the Duo multi-factor authentication protecting access to Outlook Web App," CISA wrote.

Cybersecurity experts said Microsoft was not necessarily free and clear from any further damage from the SolarWinds intrusion the company says it addressed. "That doesn't mean there isn't a persistent threat actor in there," said Mike Hamilton, the former chief information security officer for Seattle who now holds that role for the incident-response firm CI Security. "They had bad guys in their networks. And it makes sense that they would get hit because they are such a high-value target."

"I would be concerned, considering CISA's note about two-factor authentication related to Microsoft and what they are now reporting that there could be some potential vulnerability," said Frank Downs, a former National Security Agency analyst who is now the director of incident response at the firm BlueVoyant.


The attacks, cited by many experts as coming from a nation-state actor such as Russia, have hit a growing list of enterprises this week, including signs of hacks Thursday at the Department of Energy.