After Russian hackers exploited a flaw in a widely used Microsoft product during one of the largest cyberattacks in U.S. history, the software giant downplayed its culpability. However, a recent ProPublica investigation revealed that a whistleblower within Microsoft’s ranks had repeatedly attempted to convince the company to address the weakness years before the hack — and that the company rebuffed his concerns at every step.
Here are the key things you need to know about that whistleblower’s efforts and Microsoft’s inaction.
Years before the SolarWinds hack was discovered in 2020, a Microsoft engineer found a security flaw these hackers would eventually exploit.
In 2016, while researching an attack on a major tech company, Microsoft engineer Andrew Harris said he discovered a flaw in the company’s Active Directory Federation Services, a product that allowed users to sign on a single time for nearly everything they needed. As a result of the weakness, millions of users — including federal employees — were left exposed to hackers.
Harris said the Microsoft team responsible for handling reports of security weaknesses dismissed his concerns.
The Microsoft Security Response Center determines which reported security flaws need to be addressed. Harris said he told the MSRC about the flaw, but it decided to take no action. The MSRC argued that, because hackers would already need access to an organization’s on-premises servers before they could take advantage of the flaw, it didn’t cross a so-called “security boundary.” Former MSRC members told ProPublica that the center routinely rejected reports of weaknesses using this term, even though it had no formal definition at the time.
Microsoft product managers also refused to address the problem.
Following the MSRC’s decision, Harris escalated the issue to Microsoft product leaders who, he said, “violently agreed with me that this is a huge issue.” But, at the same time, they “violently disagreed with me that we should move quickly to fix it.”
Harris had proposed the temporary solution of suggesting that customers turn off the seamless single sign-on function. That move would eliminate the threat but result in users needing to log on twice instead of once. A product manager argued that it wasn’t a viable option because it risked alienating federal government customers and undermined Microsoft’s strategy to marginalize a top competitor.
Microsoft was also concerned that going public with the flaw could hurt its chances of winning future government contracts worth billions of dollars, Harris said.
At the time Harris was trying to convince Microsoft product leaders to address the flaw, the federal government was preparing to make a massive investment in cloud computing, and Microsoft wanted the business. Acknowledging this security flaw could jeopardize the company’s chances, Harris recalled one product leader telling him.
Harris eventually learned that the flaw was even more dire than he originally thought. Once again, Microsoft opted to not take action, he said.
In 2018, a colleague of Harris’ pointed out how hackers could also bypass a common security feature called multifactor authentication, which requires users to perform one or more additional steps to verify their identity, such as entering a code sent via text message.
Their discovery meant that, no matter how many additional security steps a company puts in place, a hacker could bypass them all.
When the colleagues brought this new information to the MSRC, “it was a nonstarter,” Harris said.
Researchers outside of Microsoft also warned the company about the flaw.
In November 2017, cybersecurity firm CyberArk published a blog post detailing the same flaw Harris had identified.
Microsoft would later claim this blog post was the first time it had learned of the issue, but researchers at CyberArk told ProPublica they had reached out to Microsoft staff at least twice before publication.
Later, in 2019, cybersecurity firm Mandiant would publicly demonstrate at a cybersecurity conference how hackers could exploit the flaw to gain access to victims’ cloud services. The firm said it had given Microsoft advance notice of its findings.
Russian hackers ultimately exploited the very flaw Harris and the others had raised.
Within months of Harris leaving Microsoft in 2020, his fears became reality. U.S. officials confirmed reports that a state-sponsored team of Russian hackers used the flaw in the SolarWinds hack. Exploiting the weakness, hackers vacuumed up sensitive data from a number of federal agencies, including, ProPublica learned, the National Nuclear Security Administration, which maintains the United States’ nuclear weapons stockpile. The Russians also used the weakness to compromise dozens of email accounts in the Treasury Department, including those of its highest-ranking officials.
In congressional hearings after the SolarWinds attack, Microsoft’s president insisted the company was blameless.
Microsoft President Brad Smith assured Congress in 2021 that “there was no vulnerability in any Microsoft product or service that was exploited” in SolarWinds, and he said customers could have taken more steps to secure their systems.
When asked what Microsoft had done to address the flaw in the years before the attack, Smith responded by listing a handful of steps that customers could have taken to protect themselves. His suggestions included purchasing an antivirus product like Microsoft Defender and securing devices with another Microsoft product called Intune.
After ProPublica published its investigation, lawmakers pressed Microsoft’s Smith if his prior testimony before Congress was incorrect.
Hours after the ProPublica investigation was published, Microsoft’s Smith appeared before the House Homeland Security Committee to discuss his company’s cybersecurity failures.
Rep. Seth Magaziner, D-R.I., asked Smith about his prior congressional testimony, in which he said that Microsoft had first learned about this weakness in November 2017 from the CyberArk blog post. ProPublica’s investigation, Magaziner noted, found that Harris had raised it even earlier, only to be ignored. The lawmaker asked Smith if his prior testimony was incorrect.
Smith demurred, saying he hadn’t read the story. “I was at the White House this morning,” he told the panel.
He also complained that ProPublica’s investigation was published the day of the hearing and said that he’d know more about it “a week from now.”
However, ProPublica had sent detailed questions to Microsoft nearly two weeks before the story was published and had requested an interview with Smith. The company declined to make him available. Instead, Microsoft had issued a statement in response. “Protecting customers is always our highest priority,” a spokesperson said. “Our security response team takes all security issues seriously and gives every case due diligence with a thorough manual assessment, as well as cross-confirming with engineering and security partners. Our assessment of this issue received multiple reviews and was aligned with the industry consensus.”