Tag Archives: SolarWinds cyberattack

Who Trusts Microsoft? The Locked-In

Leave a reply

In 2024, the Department of Homeland Security released a scathing report detailing Microsoft’s mistakes during a 2023 hack in which China stole thousands of emails from top government officials. Two years before that, China-linked cyberattackers compromised more than 250,000 Microsoft Exchange servers. In response to the 2024 report, Nadella, the CEO of Microsoft, promised to rededicate Microsoft to protecting its products and its customers from bad actors…

Shortly after Nadella took the reins, Microsoft eliminated the group that had companywide responsibility for Microsoft’s security work, pushing security decisions to the individual business units. Around the same time, Microsoft changed the way it developed software, laying off many of the test engineers charged with uncovering bugs before products ship to customers…

With regard to the July 2025 Microsoft hack, researchers said more than 400 SharePoint servers had been hacked—many of them belonging to government entities—and Microsoft had linked some of the attacks to the Chinese government

In previous episodes, such as the massive 2021 hack of the Microsoft Exchange email system, China pulled off impressive technical feats before being caught…

Regarding the 2025 SharePoint cyberattack, Eye Security researchers discovered, on July 18, 2025 an unauthorized script on a SharePoint server belonging to one of their customers. As the Eye team dug in, they started finding the same script on about 150 other SharePoint servers all over the internet…The script opened a back door to the SharePoint servers, creating an encryption key that could be used later to run commands on the machine. “It was just like a door key left on the street,” said Kerkhofs. “It was accessible for everybody. We just started scanning and we grabbed all the keys.”…Microsoft, learning that hackers were exploiting the bugs, called in its security team.

Eventually the Eye team discovered 80 infected organizations. European government agencies were compromised, as were U.S. federal agencies, municipalities and universities…

On July 20, 2025, the Energy Department confirmed that it was a victim… News of the compromise was reported by Bloomberg, which said that the National Nuclear Security Administration was specifically victimized.

Excerpt from Robert McMillan, A Failed Microsoft Security Patch Is the Latest Win for Chinese Hackers, WSJ, July 25, 2025

The Under-the-Hood Cyberattacks

Leave a reply

The Biden administration sanctioned a Chinese company in January 2025  it said was behind the vast cyber intrusions into U.S. telecommunications networks that swept up phone calls of scores of U.S. government officials as well as those of incoming President Donald Trump.

The U.S. Treasury Department said that Sichuan Juxinhe Network Technology Co. was directly involved in the deep compromises of the telecommunications firms, which U.S. officials and lawmakers have said is a historically damaging espionage campaign carried out on behalf of the Chinese government. The firm is based in the Sichuan province of China and advertises itself as a technology-services and cybersecurity company.

Separately, U.S. authorities sanctioned a Shanghai-based hacker, Yin Kecheng, whom they allege was involved in an unrelated breach of sensitive systems within the Treasury Department itself. Neither Sichuan Juxinhe nor Yin Kecheng could immediately be reached for comment.

The sanctions… are the most direct public response to the telecom hacks, which were first revealed by The Wall Street Journal in 2024 and have been attributed to a hacking group dubbed Salt Typhoon. The sanctions will block U.S. transactions with Sichuan Juxinhe and allow for the seizure of any property or interests the firm has within the U.S. It couldn’t be immediately established whether the firm, for which little information was available online, had any U.S.-held assets or property.

Hackers compromised at least nine American telecommunications firms, scooping up enormous amounts of call-log data and the unencrypted texts and call audio from several dozen specific high-value targets. They also accessed wiretap-surveillance systems at victim companies Verizon Communications and AT&T in an apparent effort to learn how much the FBI and others understood about Beijing’s spies operating in the U.S. and internationally, according to investigators.

In the Treasury Department hack, China is believed to have accessed unclassified files located on compromised work computers of a range of senior officials, including Secretary Janet Yellen… The intrusion occurred through a hacked third-party software vendor called BeyondTrust, which was able to remotely access virtually any Treasury work computer, the people said. The department’s sanctions office itself—the same one that imposed penalties—was breached in the hack, as were other offices that possess sensitive nonpublic information. 

Excerpt from The U.S. Sanctions Beijing Firm Behind Major ‘Salt Typhoon’ Telecom Hacks, WSJ, Jan. 17, 2025

How Russia Invaded Microsoft

Leave a reply

Microsoft  said in March 2024 a Russian state-sponsored hacking group that stole information from its senior leadership team is still using that information to gain unauthorized access to its internal systems. The technology company disclosed in January  2024 that the group, which it has identified as Midnight Blizzard, had extracted information from a small percentage of employee email accounts, including members of its senior leadership team and employees in its cybersecurity and legal teams. Since that disclosure, the group has used that information to gain access to Microsoft’s source code repositories and internal systems. The volume of some aspects of the attack, including password sprays, jumped 10-fold in February compared with the already large volume Microsoft encountered in January, it said.

“Midnight Blizzard’s ongoing attack is characterized by a sustained, significant commitment of the threat actor’s resources, coordination, and focus,” Microsoft said. The company said that its investigations of Midnight Blizzard activities are continuing and that it is coordinating efforts with federal law enforcement. In a blog post last August 2023, Microsoft said it had detected Midnight Blizzard, previously known as Nobelium, launching targeted social-engineering attacks that used Microsoft Teams chats to phish for credentials. The former Nobelium group has been linked by U.S. authorities to the Foreign Intelligence Service of the Russian Federation and is known for its involvement in the massive SolarWinds hack of 2020.

Excerpts from Dean Seal, Microsoft Says Russian-Sponsored Hackers Still Using Stolen Information, WSJ, Mar. 9, 2024