Microsoft Ignored Whistleblower Warnings Before SolarWinds Attack

Microsoft didn’t address the security flaw that enabled the SolarWinds malware attack for years before it happened because it was trying to secure a multibillion-dollar deal with the Pentagon and compete with rivals like Okta, according to a new investigation from ProPublica.

Microsoft employee Andrew Harris, who previously worked at the US Department of Defense for seven years and worked at Microsoft from 2014 until 2020, identified the security issue and pressed Microsoft to fix it for “several years,” according to the report.

When Harris explained the vulnerability to other Microsoft staff, they initially argued it was fine because attackers would first have to gain access to a Microsoft server. Harris thought their logic was flawed and pushed further, speaking with others at the company. Eventually, more came around to admitting there was a problem.

“Everyone violently agreed with me that this is a huge issue,” Harris said. “Everyone violently disagreed with me that we should move quickly to fix it.”

While Microsoft wasn’t in a hurry to fix the problem, Harris notified some of Microsoft’s clients about the flaw and worked with a few, like the NYPD, to implement a solution. Harris’ solution didn’t sit well with Microsoft because the company thought it created too much “friction” and made it harder for Microsoft to compete with single sign-on (SSO) rival Okta (which, notably, was hacked last year).

“The decisions are not based on what’s best for Microsoft’s customers but on what’s best for Microsoft,” Harris tells ProPublica of his perspective. Microsoft employees also told the outlet that they were more likely to be rewarded for developing slick new features than quashing bugs. Cybersecurity firms have criticized Microsoft’s approach to bug fixes, arguing that one issued last year was flawed and incomplete.

In 2017, a cybersecurity firm published a report detailing the exploit Harris had separately uncovered. Microsoft ultimately told Harris it would develop a longer-term solution. But Microsoft did not release a fix in time to protect itself from the SolarWinds attack.

SolarWinds’ CEO later said the hackers were already inside its systems in 2019 and argued the attack was “extremely sophisticated.” While the attack is commonly referred to as the SolarWinds attack, about a third of those affected by the incident never actually used SolarWinds’ software, The Wall Street Journal reported in 2021.

Months after Harris left Microsoft, Russian hackers used the exploit to spy on the US government, view US attorneys’ Microsoft 365 accounts, and access Microsoft’s source code. At the time, Microsoft said the privacy of its source code wasn’t a big deal, stating: “We do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code.”

But ProPublica reports that the hackers also gained access to data from the US National Nuclear Security Administration, the Treasury Department, and the federal health agency overseeing the COVID-19 pandemic research and vaccine response. Days after the attack, Microsoft said it isolated and removed the malware it found. It also told its 365 customers to disable their “seamless SSO” in Microsoft’s Active Directory Federation Services. This was Harris’ initial solution, which Microsoft neglected to adopt for years, ProPublica reports.

“Protecting customers is always our highest priority,” a Microsoft rep told the outlet in a statement. “Our security response team takes all security issues seriously and gives every case due diligence with a thorough manual assessment, as well as cross-confirming with engineering and security partners. Our assessment of this issue received multiple reviews and was aligned with the industry consensus.”

The 2020 SolarWinds attack has been tied to the Nobelium or CozyBear Russian hacking group, which allegedly breached Microsoft again earlier this year and gained access to Microsoft executives’ emails. The group also attacked other IT firms back in 2021.

Last year, a US Senator urged the feds to investigate Microsoft’s “negligent cybersecurity.” US cybersecurity regulators recently concluded that Microsoft has “a corporate culture that deprioritized enterprise security investments” and has asked it to implement “fundamental, security-focused reforms across the company” and share those plans with the public. The company later pledged to make security a “top priority.”