Microsoft said on Thursday that its systems had been affected by the SolarWinds hack, but denied a report that its services had been subverted to compromise the tech titan's own customers.
Reuters reported earlier on Thursday that Microsoft was swept up in the sweeping SolarWinds cyberattack, making its systems vulnerable to bad actors. Furthermore, Reuters said, the company's own products had been compromised by the attackers, potentially putting customers of Microsoft products like Office 365 or Azure at risk.
In response, Microsoft confirmed that it was affected by the sweeping supply-chain cybersecurity attack stemming from SolarWinds IT software — but categorically denied that customer data or its own products were at risk. "We believe the sources for the Reuters report are misinformed or misinterpreting their information," the company told Business Insider in a statement.
"Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries in our environment, which we isolated and removed," Microsoft spokesman Frank Shaw said in an additional statement Thursday afternoon. "We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others."
Microsoft also reiterated what it said in a blog post Sunday: "We also want to reassure our customers that we have not identified any Microsoft product or cloud service vulnerabilities in these investigations." In that same Sunday statement, the company said "we are also actively looking for indicators in the Microsoft environment and, to date, have not found evidence of a successful attack."
Earlier Thursday the Cybersecurity and Infrastructure Security Agency (CISA), the nation's top cybersecurity agency, said in an alert that another cybersecurity company found evidence that the hackers cracked Duo, an authentication tool, to access Microsoft's Outlook email app:
"Volexity has also reported publicly that they observed the APT using a secret key that the APT previously stole in order to generate a cookie to bypass the Duo multi-factor authentication protecting access to Outlook Web App," CISA wrote.
The attacks, cited by many experts as coming from a nation-state actor such as Russia, have hit a growing list of enterprises this week, including signs of hacks Thursday at the Department of Energy.