Skip to main content
close search
site logo
Dive Brief

Microsoft's latest SolarWinds discovery highlights systemic supply chain weaknesses

Published Jan. 4, 2021
Naomi Eide's headshot
Managing Editor
Kendall Davis for CIO Dive

Dive Brief:

  • Following discovery of malicious SolarWinds applications in its systems, Microsoft found evidence malicious actors viewed some internal source code in its repositories, Microsoft said last week. The company found no changes to the code were made. 
  • The SolarWinds compromise, realized three weeks ago, has organizations rushing to discover the full extent of the damage. At least 250 organizations are impacted, including government agencies and businesses, according to a New York Times report.   
  • Scrutiny is centered around supply chain impacts. Cybersecurity firm CrowdStrike found evidence of compromises through Microsoft resellers, according to a December blog post. A Microsoft reseller's Azure account, which manages CrowdStrikes Microsoft Office licenses, made abnormal cloud API calls in a failed attempt to read email.

Dive Insight:

SolarWinds' technology served as an access point to a vast network, revealing systemic security vulnerabilities. With Microsoft working through the fallout, industry attention is turning toward who else was targeted and what the malicious actors, suspected Russian hackers, were after.

"What this reveals is just how insecure our supply chains really are and overlooked," said Graham Holmes, CSO of PacketFabric.

"The attack on Microsoft's resellers and others is no different than the exploit that happened with Home Depot and leveraging flaws in the security of an HVAC provider, who serviced some of these systems," Holmes said. "It gets back to the fundamental weakness in all of these things, which is how do you secure a very porous boundary" in any operating environment.  

Though it is unknown what Microsoft source code malicious actors viewed, it creates an opportunity to better understand how the company's services work. Though Microsoft was quick to say it is not reliant on code secrecy for security because it follows an innersource approach, risk persists.

The fastest way to find weaknesses in code is to look at the code, according to Holmes. Gaining access to source code is desired because it serves as a shortcut to trial and error planning to try and discern what problems there are in compiled code. 

Even if Microsoft follows open source or innersource practices, it's still a vulnerability. 

Solorigate exposed the number of weaknesses that exist across industry, Holmes said. There's a general problem with supply chain security and "everybody prioritizes features before security."

Editors' picks

Company Announcements

View all | Post a press release
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Whalebone Ranks Third Straight Year Among Central Europe’s 50 Fastest-Growing Companies
From Whalebone
November 25, 2024
Editors' picks
Latest in Breaches
Industry Dive is an Informa TechTarget business.
© 2024 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.