Statement from Microsoft President here on security<p><a href="https://blogs.microsoft.com/on-the-issues/2020/12/17/cyberattacks-cybersecurity-solarwinds-fireeye/" rel="nofollow">https://blogs.microsoft.com/on-the-issues/2020/12/17/cyberat...</a><p>"One of the more chilling developments this year has been what appears to be new steps to use AI to weaponize large stolen datasets about individuals and spread targeted disinformation using text messages and encrypted messaging apps."<p>"a second evolving threat, namely the growing privatization of cybersecurity attacks through a new generation of private companies, akin to 21st-century mercenaries."<p>"As humanity raced to develop vaccines, Microsoft security teams detected three nation-state actors targeting seven prominent companies directly involved in researching vaccines and treatments for Covid-19."<p>"One indicator of the current situation is reflected in the federal government’s insistence on restricting through its contracts our ability to let even one part of the federal government know what other part has been attacked. Instead of encouraging a “need to share,” this turns information sharing into a breach of contract. It literally has turned the 9/11 Commission’s recommendations upside down."
How will this even begin to be remediated (the broader hack that is coming to light right now)?<p>It seems like malicious actors had unrestricted access to almost every major computer system in the US Government, and now possibly <i>microsoft itself</i> as well?<p>How are these people ever going to be able to trust any of this equipment ever again? This just seems unbelievably catastrophic.
Microsoft has now categorically denied it.<p>"We have no indication of this," company President Brad Smith told New York Times reporter Nicole Perlroth. Perlroth said the company stood by a statement it issued on Sunday saying it had no indication of a vulnerability in any Microsoft product or cloud service in its investigations of the hacking campaign."
>The U.S. National Security Agency issued a rare “cybersecurity advisory” Thursday detailing how certain Microsoft Azure cloud services may have been compromised by hackers<p>I believe there is common overestimation of security of cloud providers. Microsoft Azure was just breached and that's only what we know. There might be breaches at other cloud providers we're not aware of.<p>Centralization creates an exponentially growing incentive for bad actors. Decentralization has been given up too soon.
It is always events like these that make me ponder if the Internet will devolve into regional Internets, which still wouldn't necessarily prevent or stop any determined attacker from performing these types of attacks. So perhaps it's never.
I wonder when we will hear the news that all major clouds have been breached and data has been leaking for months/years...would be interesting to see. My wet dream is that people ditch the cloud to hold their own infrastructures.
I’m hesitant to blame anyone before we understand the full scope. “Breached into Microsoft” could mean they hacked into a guest public WiFi access point.
If you're a cybersecurity consultant, you can practically dictate your salary at this point. What's $3,000/hour to the government or a Fortune 500 to recover from a cyberattack like this?<p>There must be a lot of all nighters behind the scenes.
Goes to show that you are only as secure as your weakest dependency. Allow and trust software into your organization built by a system protected by an obvious single factor password (which you didn't know about or ask) and no matter what else you did you are screwed.<p>I worked at a healthcare company that stored its production credentials (with no login auditing) in a plain text file accessible by half the employees and contractors and when I complained that this was dumb (and violated HIPAA) was told "we passed our audits and we trust our employees".
I am not surprised, it's a dirty little secret in the software industry that we employ a lot of Russian and other potentially vulnerable Eastern European software contractors. Not to blame anyone specifically, I mean the threat could equally come from India or China. Or even a direct hack. It could also be an insider threat from an American as well. Since software development is a complicated profession, it takes a lot of intelligent oversight to ensure that critical paths are secure; especially as we migrate to cloud and site wide solutions.
What is the actual evidence that the hack was done by Cozy Bear/APT29/Russia?<p>I keep seeing this information repeated all over the place, but no mention of how that is actually known.
Here's the link to the NSA Cyber Advisory mentioned in the article:
<a href="https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2434988/russian-state-sponsored-malicious-cyber-actors-exploit-known-vulnerability-in-v/" rel="nofollow">https://www.nsa.gov/News-Features/Feature-Stories/Article-Vi...</a>
> Still, another person familiar with the matter said the Department of Homeland Security (DHS) does not believe Microsoft was a key avenue of fresh infection.<p>Thoughts on this? It seems unlikely to me that someone who compromises literally <i>the</i> enterprise desktop OS manufacturer isn't going to take advantage of the situation.