SolarWinds is the name that has been given to a massive, months-long hacking operation in which the Russian government is said to have planted malware into the software of the company for which the scandal is named.
Many US government agencies used software and network technology created by SolarWinds, which thus put critical aspects of the US government and its national security apparatus at risk.
However, that appears to have only been the first stage of this complex hacking operation. In its second stage, it was software designed by Microsoft that was exploited. This is unnerving because Microsoft’s products are ubiquitous not only among private consumers but among government agencies as well.
If we know one piece of Microsoft’s code to have been vulnerable to attack, what else is vulnerable? What else needs to be updated?
Indeed, federal lawmakers are now demanding that Microsoft perform a massive suite of software and security updates to all of its products, particularly those used by government agencies and that it does so swiftly and cheaply.
Microsoft’s Security Holes
Responding to this pressure, Microsoft has offered all federal agencies the right to use its “advanced” security features at no added cost. The tech giant also did damage control in another way — namely, by attempting to shift the blame to consumers for the fact that holes in cybersecurity are often exploited.
This isn’t entirely wrong. After all, social engineering attacks — those hacks that attempt to leverage and exploit the human element of hacking through things like phishing or even calling government employees and pretending to work at some government agency in order to get the worker to reveal passwords or other important information — are now responsible for the majority of successful large-scale hacks.
Human error is thus a major component of why things get hacked.
However, George Kurtz, the CEO of a major cybersecurity firm and frequent government contractor CrowdStrike, said that Microsoft’s products contain “systemic weaknesses.” According to Kurtz, at least nine government agencies and 100 private companies use the software that contains these weaknesses.
Another problem is that Microsoft is known to have had business dealings with Russian tech firms. One of these was Positive Technologies, a firm that, according to the Biden Administration, supports and may even be involved in hacking done by the Kremlin. On Thursday, April 15, the Biden Administration announced that it would be placing sanctions on six different Russian tech firms, one of which was Positive Technologies.
However, in the past, Microsoft has allowed Positive Technologies and about 80 other companies early access to data on vulnerabilities that have been found in Microsoft software.
As yet, it remains unknown just how deep this cybersecurity rabbit hole runs, but indications are that when all is said and done, what is discovered about how vulnerable our government is to being hacked could be quite unsettling.
Microsoft claims that it no longer shares such data with Positive Technologies, now that sanctions have been announced.