A former employee of Microsoft, speaking to reporters with ProPublica, has accused the company of intentionally ignoring a security flaw that was later exploited by Russian state-backed hackers.
The whistleblower says that the Active Directory security flaw was ignored because, at the time, Microsoft was preparing a major bid for the government’s cloud computing business. A product leader told him that acknowledging and fixing the issue would shake customer confidence and potentially hurt the company, and that a “long-term workaround” was being developed instead. The vulnerability remained in place for years, eventually hit upon by state-backed Russian hackers in 2020 and used to perpetuate the SolarWinds attack.
Whistleblower says security flaw was known but unaddressed from 2016 to 2020
Working for the Microsoft Global Incident Response & Recovery team in 2016, Andrew Harris was tasked with investigating the breach of an unnamed “major” US firm that may have been linked to the company’s products. Harris eventually discovered the serious Active Directory authentication issue that would eventually be exploited by a Russian APT group as the start of the SolarWinds breach.
But that incident was still years off. During the time in between, Harris says that he repeatedly pleaded with the company to address the security flaw. He was continually brushed off, with a product manager at one point intimating that a public acknowledgement and fix for the flaw would hurt the company’s push for multibillion-dollar contracts from the US government for Microsoft’s cloud services. Harris says that he fixed the flaw privately for certain organizations, such as the New York Police Department, but national government agencies were not notified about it out of fear of losing federal business. Microsoft’s cloud business has been a central component in making it the world’s most valuable company, a position it took from Apple toward the beginning of 2024.
Harris left Microsoft in frustration in 2020. Months later, Russian hackers exploited the security flaw to penetrate SolarWinds and in turn raid numerous government agencies and capture highly sensitive information. His testimony adds a substantial new element to the story as Microsoft has remained adamant that the security flaw was not its fault, even testifying in front of Congress to this effect in 2021. The story could also now cost Microsoft some government business, as the Pentagon considers expanding its use of the company’s products as part of the rollout of its “zero trust” initiative.
Microsoft “won’t fix” culture stemmed from laser focus on Azure sales
2014 may have been a pivotal year in the change in Microsoft’s security culture. That was the year that CEO Satya Nadella took the reins. Natella saw the company as stuck in the past and unable to innovate, coasting off of the widespread use of Windows while being outpaced in other key sectors by competitors like Apple and Amazon. Nadella immediately emphasized the Azure cloud computing division as the company’s primary focus, and aggressively pitched government and corporate clients on its “hybrid” approach that, ironically, offered greater security by shifting much of the local IT burden to Microsoft’s systems.
Product managers reportedly labored under direct order from Nadella to maximize sales and catch up to the major lead that Amazon had taken in the cloud arena. Other former employees have supported Harris’ story by stating that feature innovation was all that really mattered among Azure developers and was the key to promotion; employees that took a security focus would see their careers stall. This established a culture of getting security reports to a “won’t fix” status, or delaying them to the next product version (which might be years down the line).
Harris’s story also contradicts testimony made by Microsoft’s Brad Smith to the Senate Intelligence Committee in 2021, in which he claimed the company’s first knowledge of the security flaw was when a Tel Aviv-based security firm outlined it as a theoretical attack in a research paper. Harris says that he had fully informed management from the company months before on a video call, specifically product manager Mark Morowczynski and director Alex Simons.
In 2018, a colleague of Harris’ demonstrated to him how an attacker could also bypass multifactor authentication when using what was now internally called the “Golden SAML” approach. Harris says that this new information did nothing to sway Microsoft in addressing the security flaw.
Tim Mackey, Principal Security Strategist at Synopsys Cybersecurity Research Centre, notes that this dynamic is frequently present in corporate settings: “Without getting into the specifics of the incident, the nature of this incident and its timeline highlights the tension that often exists between technical teams and their business peers. For a technical team, any weakness, particularly within code that is an area of expertise for that team, represents a priority to be addressed. If that weakness then becomes exploitable, then technical teams are even more eager to address the issue. The problem is that new features and enhancement requests from top customers often have greater business value than bugs fixes – even if those bugs are security bugs. While we would all love to say that all software developers address security issues first, and then address new features, the reality is that R&D efforts are prioritised based on business impact. It is the impact of this dynamic that is behind efforts like CISA’s Secure by Design principles and the concepts of “Radical Transparency” which contribute to various software assurance efforts promoting transparency into development and deployment practices as a means of reducing business risks associated with the usage of software.”
Jeff Williams, co-founder and CTO at Contrast Security, thinks that Microsoft may not have been entirely negligent in addressing the security flaw: “Microsoft is getting excoriated for taking a long time to respond to what turned out to be a very serious vulnerability. While it’s pretty obvious in hindsight that they made a mistake, I think commentators are judging them without seeing the whole picture. The unfortunate reality is that software is far more complex than most people understand. A single application is built from dozens of source code repos, hundreds of open-source libraries, multiple application frameworks, server software, and often multiple language platforms. And Microsoft has tens of thousands of applications, each of which has vulnerabilities reported all the time by tools, penetration testers, customers, and more. The overwhelming majority of these reports turn out to be false, unexploitable, or low risk — but the investigation of each one takes many hours, often days, and sometimes weeks or months. Microsoft has to prioritize these vulnerability reports based on the information they have, which may be spotty, incomplete, erroneous, etc… It is inevitable that some serious vulnerabilities will be scored incorrectly and not investigated in a timely manner.
“I’m not excusing the mistake, just recognizing that the reality in the market is that no company can immediately respond to every theoretical vulnerability report. It may be a surprise to some that most large organizations, including your bank, your healthcare companies, and your government ALL carry huge application vulnerability backlogs. In most companies I talk with, the number is usually hundreds of thousands or millions of vulnerabilities that are waiting to be investigated. This is all of our fault. We reward companies for new features, not security. Our governments have not mandated serious security transparency on companies or created a liability regime for software producers. We don’t have “Security Facts” on software products to assist consumers in choosing secure products and pushing the market in the right direction. We all bear responsibility. And we are all SolarWinds. If you want secure software, you won’t get it by pretending that all software is secure and punishing the latest one to get breached — like some futuristic Russian Roulette. The only way out of this is to reform the software market and change the incentives for software producers,” added Williams.
Smith just went before Congress again earlier this month, fielding questions about the breach that allowed Chinese agents to infiltrate US government email accounts in 2023.
