Microsoft has identified more than 40 of its customers around the world that had problematic versions of a third-party IT management program installed and that were specifically targeted by the suspected Russian hacking campaign disclosed this week, the company said in a blog post Thursday.
The tech company said that 80% of those victims are in the US while the rest are in seven other countries: Canada, Mexico, Belgium, Spain, the United Kingdom, Israel and the United Arab Emirates.
“It’s a certainty that the number and location of victims will keep growing,” said Microsoft President Brad Smith, who added that the company has worked to notify the affected organizations.
Microsoft’s analysis represents the clearest and most specific assessment yet of the scope of the damage caused by the hacking campaign, which was secretly conducted through a third-party software program sold by SolarWinds, an IT management firm.
The software that the suspected Russian malware was delivered with, SolarWinds Orion, has as many as 18,000 global customers, including government agencies, private companies and other organizations. Microsoft said Thursday that the attack “reached many major national capitals outside Russia.”
“The attack unfortunately represents a broad and successful espionage-based assault on both the confidential information of the U.S. Government and the tech tools used by firms to protect them,” Smith wrote. “The attack is ongoing and is being actively investigated and addressed by cybersecurity teams in the public and private sectors, including Microsoft.”
Microsoft has been working as an investigative partner to cybersecurity firm FireEye, which is also a victim and issued the first warning about the supply chain attack.
Previously, FireEye also identified victims across several sectors and countries, including government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East.
Earlier Thursday, Reuters reported that Microsoft had been compromised as well. Microsoft said it has “isolated and removed” a vulnerability in its systems tied to third-party software that had facilitated a suspected Russian hacking campaign.
Updates to the software sold by SolarWinds were used as a carrier for malicious code that US officials believe may be linked to Russia. That software was found in Microsoft’s network, the company said in a statement Thursday evening.
The statement marks Microsoft’s first public acknowledgment that in addition to investigating the malware, it was also a victim of it.
“Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious Solar Winds binaries in our environment, which we isolated and removed,” the statement said.
Microsoft has not found evidence that an actual data breach occurred or that the attackers exploited their access, the company added. The company pushed back on a Reuters report that suggested Microsoft’s products had been used to compromise other victims.
“Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others,” Microsoft said.
This story has been updated with acknowledgment from Microsoft that it was compromised.