Microsoft shares tool to hunt for compromise in SolarWinds breach

It's the latest private sector effort to help respond to the SolarWinds fallout.
(Jeenah Moon/Getty Images)

Microsoft is offering up the tool it used to track down potential indicators of compromise in the sweeping SolarWinds breach, the company announced Thursday.

Microsoft is releasing the so-called CodeQL queries it used to investigate its source code, in an effort to help other organizations mitigate the risk from the cascading cyber-espionage campaign involving a breach at the U.S. federal contractor SolarWinds. Microsoft is aiming to help firms pinpoint code-level indicators of compromise (IoCs), Microsoft’s Security Team said in a blog.

By digging into their own code, organizations can assess if they have been compromised by the hack, in which suspected Russian hackers laced malicious software in a SolarWinds product’s software update, Microsoft said. The company has described the campaign as “Solorigate.”

“A key aspect of the Solorigate attack is the supply chain compromise that allowed the attacker to modify binaries in SolarWinds’ Orion product,” the blog post said. “These modified binaries were distributed via previously legitimate update channels and allowed the attacker to remotely perform malicious activities, such as credential theft, privilege escalation, and lateral movement, to steal sensitive information. The incident has reminded organizations to reflect not just on their readiness to respond to sophisticated attacks, but also the resilience of their own codebases.”


Microsoft’s Security Team also detailed two different approaches to analyzing code-level IoCs related to the SolarWinds breach in the blog using CodeQL, a developer tool that can be used to automate security analysis.

The release of the CodeQL queries is the latest indication that the private sector effort will continue to be a crucial part of the nation’s remediation and recovery effort in the wake of the SolarWinds breach. Nine federal agencies and roughly 100 companies have been affected, the White House previously said.

Several security companies have released tools to help potentially affected organizations assess the damages since — FireEye, the security firm which first found evidence of the breach, was the first to develop and release countermeasures that could be used by other organizations to try to thwart any potential fallout from the SolarWinds breach. In December, Microsoft, FireEye and domain registrar GoDaddy released a “killswitch” to make it more difficult for the hackers to continue running their campaign. 

Leadership from several technology firms, including Microsoft, FireEye and CrowdStrike, as well as SolarWinds, have been testifying on Capitol Hill to brief lawmakers on the hacking operation and potential solutions moving forward.

The federal government has also been working to respond to the SolarWinds breach, which has affected the National Institutes of Health and the departments of Commerce, Treasury, Defense, State and Homeland Security. The Trump administration’s National Security Council (NSC) kicked off the emergency response process, meant to coordinate federal agencies’ and private sector responses.


The cleanup of the suspected espionage operation, which the U.S. intelligence community assessed was “likely” carried out by Russian actors, will take some time — possibly several months — Anne Neuberger, the Biden administration’s deputy national security advisor for cyber and emerging technology at the NSC, warned in a White House press briefing earlier this month.

The federal government suspects there may be more breaches to uncover moving forward.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts