On Feb. 1, Microsoft announced a new cybersecurity offering for federal government customers called the Modern Log Management Program. The program includes a suite of Microsoft’s visibility and remediation tools, which pull diagnostic data from various Microsoft products so that customers gain more insight into what’s happening on their networks. The goal of the program, according to Microsoft, is to help executive branch agencies meet new cybersecurity event logging requirements issued by the Office of Management and Budget (OMB) in August 2021 in a memorandum known as M-21-31. Microsoft has pledged to offer the program at a discounted price to help agencies “mitigate budget challenges from an increase in log source and log storage requirements required by M-21-31.”
This offer sounds almost charitable on Microsoft’s part, but a closer look at the circumstances that gave rise to M-21-31—and Microsoft’s unique place in federal information technology (IT)—highlights how Microsoft simultaneously combats, profits from and contributes to cybersecurity problems.
OMB introduces the requirements laid out in M-21-31 by observing that “[r]ecent events, including the SolarWinds incident, underscore the importance of increased government visibility before, during, and after a cybersecurity incident.” The SolarWinds incident came to light in December 2020 when the cybersecurity company formerly known as FireEye announced its discovery of a Russian cyber-espionage campaign that would become popularly (though misleadingly) known as SolarWinds, which is the name of the software vendor behind a popular network monitoring product called Orion. Russian government hackers had infiltrated the vendor’s software development environment at some point in 2019 and installed malicious code in a software update—a type of attack known as a supply chain operation. When SolarWinds’s customers installed the update, the malicious code hidden within gave the Russian hackers a foothold for burrowing deeper inside SolarWind’s customers’ networks to steal secrets.
The campaign—which is known less popularly by the company-neutral monikers Nobelium and SUNBURST—is viewed by many observers as one of the most significant cyber incidents to date because it involved a supply chain operation and required significant planning and patience on the adversary’s part. And it impacted a range of victims: federal agencies, state and local governments, universities, and a large swath of the Fortune 500, including Cisco, Intel and Microsoft.
SUNBURST—the term I’ll use here for the campaign—must have produced an intelligence bonanza for the Russian government. And the threat actors have not let up: They continue to adapt their tradecraft to evade detection and carry out further attacks.
Despite the focus on SolarWinds as the main door the attackers entered, Microsoft is a common thread across many victims of the SUNBURST campaign. Once inside a victim’s network courtesy of Orion, the SUNBURST attackers often exploited known loopholes in how Microsoft’s cloud product, Microsoft 365, was configured. This allowed the attackers to expand their access to a victim’s IT environment, including the victim’s cloud accounts, and to hide their tracks.
For the roughly one-third of SUNBURST victims who did not use Orion but still got hacked, the attackers found different ways in, but once inside, they abused the same configuration loopholes in Microsoft 365 to burrow deeper and move laterally within the victim’s networks. Researchers from the Atlantic Council performed a comprehensive review of the SUNBURST campaign and concluded that “[i]t is this lateral movement into the cloud, and the effective abuse of Microsoft’s identity services, that distinguishes an otherwise large software supply chain attack from a widespread intelligence coup” for Russia.
Since the news of SUNBURST broke one year ago, the two companies have fared differently: SolarWinds has suffered while Microsoft has thrived. SolarWinds—whose internal cybersecurity practices have understandably come under fire and are the subject of litigation—has paid a heavy price for its role in the incident. Its product, Orion, was the attacker’s way in for an estimated 70 percent of the campaign’s victims. The company’s name has become synonymous with a Russian hacking campaign, and its competitors have seized the opportunity to market their products as a safe, easy-to-switch-to alternative. “Organizations can now get up and running today with no delay, no [capital expenditures], and no new expertise,” boasts one competitor about its alternative offering. SolarWinds has disclosed a running tally of nearly $40 million in expenses from the incident and continues to warn investors that the incident “is expected to negatively impact revenue, profitability and cash flows in 2021 and beyond.” Its stock price is down more than 40 percent since this time last year, notwithstanding a two-to-one reverse stock split and a special dividend in July.
Microsoft, by contrast, has fared much better. Its stock price is the mirror image of SolarWinds’s stock price, up well over 40 percent this year. And it experienced 22 percent year-over-year revenue growth, its fastest since 2018.
Despite these financial gains, 2021 was overall a very tough year in security for Microsoft.
First, there was the disclosure in March 2021 of what cybersecurity analyst Brian Krebs dubbed the “mass-hack” of zero-day vulnerabilities (that is, vulnerabilities that were previously unknown) in Microsoft Exchange Servers that adversaries could exploit remotely, with no user action. China and apparently other governments discovered and exploited the vulnerability months before Microsoft’s public disclosure and subsequent issuance of a patch. Within days of Microsoft’s disclosure, the victim count exceeded 60,000. A week later, Microsoft issued an update to fix 82 security problems in Windows, 10 of which the company deemed “critical” (including a particularly dangerous one involving Internet Explorer).
In June 2021, the company issued patches for six more zero-days that adversaries had already discovered and exploited. In July, it issued emergency updates to fix PrintNightmare, a vulnerability in the Windows Print Spooler service that could enable an adversary to take full control of a vulnerable system. The streak continued into August when one team of researchers announced the discovery of a design flaw in Microsoft Exchange Autodiscover that attackers could exploit to harvest Windows domain credentials and another team of researchers discovered a vulnerability that they exploited to achieve “complete unrestricted access to the accounts and databases of several thousand Microsoft Azure customers.”
September 2021 was especially tough. It began with Microsoft announcing the discovery of another remote code execution vulnerability, this time affecting MSHTML, a software component in Internet Explorer and Micros
