After Russian hackers exploited a flaw in a widely used Microsoft product in one of the largest cyberattacks in U.S. history, the software giant downplayed its culpability. However, a recent ProPublica investigation found that a whistleblower within Microsoft’s ranks repeatedly tried to convince the company to address the weakness years before the hack — and that the company rejected his requests. concerns at every stage.
Here are the key things you need to know about this whistleblower’s efforts and Microsoft’s inaction.
Years before the SolarWinds hack was discovered in 2020, a Microsoft engineer discovered a security flaw that these hackers would eventually exploit.
In 2016, while investigating an attack on a major technology company, Microsoft engineer Andrew Harris said he discovered a flaw in the company’s Active Directory Federation Services, a product that allowed users to log in just once for almost everything they needed. Because of this weakness, millions of users – including federal employees – were exposed to hackers.
Harris said the Microsoft team responsible for handling reports of security weaknesses dismissed his concerns.
The Microsoft Security Response Center determines which reported security vulnerabilities need to be fixed. Harris said he informed MRSC of the breach, but it decided to take no action. The MSRC argued that because hackers would already need access to an organization’s on-premises servers before they could take advantage of the flaw, it did not cross what is known as the ” security border”. Former members of the MSRC told ProPublica that the center routinely dismissed reports of weaknesses using the term, even though it had no formal definition at the time.
Microsoft product managers also refused to fix the problem.
Following the MSRC’s decision, Harris reported the problem to Microsoft product managers who, he said, “vehemently agreed with me that this was a huge problem.” But, at the same time, they “vehemently disagreed with me that we should move quickly to resolve this problem.”
Harris had proposed a temporary solution of suggesting customers turn off the seamless single sign-on feature. This move would eliminate the threat but require users to log in twice instead of once. A product manager argued that this was not a viable option because it risked alienating federal government customers and undermining Microsoft’s strategy to marginalize a top competitor.
Microsoft also worried that publicly disclosing the flaw could hurt its chances of winning future government contracts worth billions of dollars, Harris said.
At the same time Harris was trying to convince Microsoft product managers to fix the flaw, the federal government was preparing to invest heavily in cloud computing, and Microsoft wanted the company. Recognizing that this security breach could hurt the company’s chances, Harris remembers a product manager telling him.
Harris eventually learned that the flaw was even more serious than he initially thought. Once again, Microsoft chose to do nothing, he said.
In 2018, a colleague of Harris’s highlighted how hackers could also bypass a common security feature called multi-factor authentication, which requires users to take one or more additional steps to verify their identity, such as entering a code sent via SMS .
Their discovery meant that no matter how many additional security measures a company put in place, a hacker could bypass them all.
When colleagues brought this new information to the MSRC, “it didn’t come to fruition,” Harris said.
Researchers outside of Microsoft also warned the company about the flaw.
In November 2017, cybersecurity company CyberArk published a blog post detailing the same flaw that Harris had identified.
Microsoft would later claim that this blog post was the first time it was aware of the problem, but CyberArk researchers told ProPublica that they contacted Microsoft staff at least twice before its publication.
Later, in 2019, cybersecurity company Mandiant publicly demonstrated at a cybersecurity conference how hackers could exploit this flaw to gain access to victims’ cloud services. The company said it informed Microsoft in advance of its findings.
Russian hackers ultimately exploited the very flaw that Harris and the others had raised.
A few months after Harris left Microsoft in 2020, her fears came true. U.S. officials have confirmed reports that a state-sponsored Russian hacking team used the flaw in the SolarWinds hack. By exploiting this weakness, the hackers sucked up sensitive data from a number of federal agencies, including, ProPublica has learned, the National Nuclear Security Administration, which manages the United States’ nuclear weapons stockpile. The Russians also took advantage of this weakness to compromise dozens of Treasury Department email accounts, including those of its most senior officials.
During congressional hearings after the SolarWinds attack, Microsoft’s president insisted the company was beyond reproach.
Microsoft President Brad Smith assured Congress in 2021 that “there were no vulnerabilities in any Microsoft product or service exploited” in SolarWinds, and he said customers could have taken more steps to secure their systems.
When asked what Microsoft had done to address the flaw in the years leading up to the attack, Smith responded by listing a handful of steps customers could have taken to protect themselves. His suggestions included purchasing an antivirus product such as Microsoft Defender and securing devices with another Microsoft product called Intune.
After ProPublica published its investigation, lawmakers pressed Microsoft’s Smith on whether his earlier testimony before Congress was incorrect.
Hours after ProPublica’s investigation was published, Microsoft’s Smith appeared before the House Homeland Security Committee to discuss his company’s cybersecurity failures.
Rep. Seth Magaziner, D-R.I., asked Smith about his previous congressional testimony, in which he said Microsoft first discovered this weakness in November 2017 through the CyberArk blog post. ProPublica’s investigation, Magaziner noted, found that Harris raised the issue even earlier, only to be ignored. Lawmakers asked Smith if his earlier testimony was incorrect.
Smith objected, saying he had not read the story. “I was at the White House this morning,” he told the panel.
He also complained that ProPublica’s investigation was published the day of the hearing and said he would know more “in a week.”
However, ProPublica sent detailed questions to Microsoft nearly two weeks before the article was published and requested an interview with Smith. The company refused to make it available. Instead, Microsoft issued a statement in response. “Customer protection is always our top priority,” a spokesperson said. “Our security response team takes all security issues seriously and gives each case due diligence with a thorough manual assessment, as well as cross-confirmation with engineering and security partners. Our assessment of this issue has undergone multiple reviews and was aligned with industry consensus.