Microsoft details how SolarWinds hackers hid their espionage

The attackers “apparently deem[ed] the powerful SolarWinds backdoor too valuable to lose in case of discovery,” Microsoft said.
Microsoft booth at Web Summit Lisbon, 2019.
(Web Summit / Flickr)

Attackers behind an espionage campaign that exploited software built by the federal contractor SolarWinds separated their most prized hacking tool from other malicious code on victim networks to avoid detection, Microsoft said Wednesday.

The findings make clear that, while the hackers have relied on a variety of tools in their spying, the tampered SolarWinds software functioned as the cornerstone of an operation that Microsoft described as “one of the most sophisticated and protracted” of the decade. Multiple U.S. federal agencies focused on national security have been breached in the campaign, which U.S. officials have linked to Russia.

The latest Microsoft research comes as influential security firms continue to come forward as victims of the hacking campaign. Malwarebytes said Tuesday that the same hacking group had apparently breached some of the firm’s internal emails by abusing access to Microsoft Office 365 and Azure software. Malwarebytes said it doesn’t use SolarWinds software, underscoring the array of attack vectors used in the campaign.

Access to SolarWinds’ network monitoring software, which is used by a range of Fortune 500 firms, would offer an attacker who manages to compromise the technology prime access to an organization’s sensitive data.


Researchers have since suggested that other groups will aim to adopt the SolarWinds hackers’ techniques for their own gain.

The attackers “apparently deem[ed] the powerful SolarWinds backdoor too valuable to lose in case of discovery,” Microsoft researchers said in its latest blog post. And so the spies ensured that the malicious code they used to move through victim organization was “completely disconnected from the SolarWinds process,” the researchers said.

Moscow has denied involvement in the hacking campaign. Recovering from the breaches, and responding to the perpetrators, will be an early test for President Joe Biden’s administration.

The new Microsoft research also offers one of the more detailed timelines of the hacking operation, covering when the spies selected victims and prepared malicious software implants.

After the SolarWinds trojan was delivered to organizations, the attackers spent about a month pinpointing victims, according to Microsoft. As early as May 2020, the hackers were doing the “real hands-on-keyboard activity” of moving through victim networks for valuable data, Microsoft said.


The hackers were meticulous in covering their tracks. They prepared unique malicious code implants for each victim machine, according to Microsoft, and changed timestamps of the digital clues they left behind to complicate the recovery process for organizations. Microsoft called the former technique an “incredible effort normally not seen with other adversaries and done to prevent full identification of all compromised assets.”

That echoes what first responders at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency have told technology executives about the hacking campaign.

“One of the initial targets of their activity is to go after the incident responders and IT professionals in your organization, ostensibly to see if you’re conducting response activities  to their activities,” a CISA official told industry executives in a call about the SolarWinds campaign this month.

“Your defenders are being explicitly targeted in a number of instances by the adversary…to see if the adversary needs to move.”

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts