The Richmond, Wash.-based software giant is a user of Orion, the widely deployed networking management software from SolarWinds (SWI) - Get SolarWinds Corp. Report that was used in the suspected Russian attacks on several U.S. government agencies.
“Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries in our environment, which we isolated and removed,” Microsoft said in a statement.
“We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others,” the company said.
The revelation comes following a new alert by the Department of Homeland Security's cyber arm Thursday revealing that Russian hackers suspected of a massive, ongoing intrusion campaign into government agencies, private companies and critical infrastructure entities used a variety of unidentified tactics - and not just a single compromised software program.
Hackers believed to be linked to Russia’s foreign intelligence service inserted malware into software updates for SolarWinds’ Orion IT infrastructure management software between March and June. This led to security breaches at the Treasury Department, the National Telecommunications and Information Administration, the Department of Homeland Security and a number of SolarWinds’ corporate clients.
A joint statement issued Wednesday night by the FBI, intelligence community and cyber arm of the Department of Homeland Security formally acknowledged that the ongoing cyber campaign had only come to light over the past "several days," and was still active.
The Cybersecurity and Infrastructure Security Agency said Thursday that the SolarWinds Orion software vulnerability disclosed earlier this week is not the only way hackers compromised a variety of online networks, warning that in some cases victims appeared to have been breached despite never using the problematic software.
For its part, Microsoft has identified more than 40 of its customers around the world that had problematic versions of the third-party IT management program, and that were specifically targeted by the suspected Russian hacking campaign disclosed this week, the company said in a blog post Thursday.
Microsoft said that 80% of those victims are in the U.S. while the rest are in seven other countries, including Canada, Mexico, Belgium, Spain, the United Kingdom, Israel and the United Arab Emirates, with Microsoft President Brad Smith noting that it is "a certainty that the number and location of victims will keep growing."
Shares of Microsoft were down 0.36% at $218.63 in trading on Friday. Shares of SolarWinds were down 0.45% at $17.52.