Microsofts Systems were breached and their secrets sold on the black market after an espionage campaign that compromised software vendor SolarWinds, according to newly revealed details of a sweeping investigation into the attack.
The investigation into the breach of U.S. and international targets began when a SolarWinds engineer discovered malware on a company laptop in April. The malware was traced back to an unnamed third-party company, which had been breached in December, according to court documents.
The attacks on SolarWinds and the third-party company began in September, court documents say.
The hackers behind the espionage campaign used a browser-based cross-site scripting (XSS) vulnerability to contaminate SolarWinds customers with malware. The malware was detected on customers’ systems, including military contractors and government agencies, according to court filings.
Those third-party companies running SolarWinds products used the Web-based services management tool to collect data from customer systems, according to court documents. The investigators believe the hackers were after electronic intelligence (ELINT) data.
By February 2016, investigators had uncovered the source of the attack: a Chinese search engine company.
“The fact that the source of this activity was located in China is interesting as its theft of American and other intellectual property by state sponsored actors has been much in the news recently,” according to a court filing published by the U.S. Securities and Exchange Commission on Thursday.
Investigators say the sophistication of the malware, which was delivered via spear phishing email, suggests the implants had been created with both the intent and knowledge of Chinese intelligence.
The discovery of the implants led U.S. investigators to examine other SolarWinds customers and employees, according to court documents. Although the SolarWinds executive responsible for conducting the malware analysis was reprimanded for his role in the incident, he was not disciplined or fired. However, the third-party company was fined $100,000, according to court documents.
The court documents don’t mention how the NSA came into possession of the malware, but they do list the origins of initial malware implant.
“The first implant was created on a computer located within a computer system managed by an unnamed foreign intelligence agency,” according to the court filing.