- Microsoft revealed that the SolarWinds hackers were able to breach its security and access sensitive source code, although they could not make any changes to it.
- The company said that the hackers did not access production services or customer data, and that the company’s systems were not used to attack other targets.
- Some security experts think that even a glance at source code data might provide information that could help with future attacks.
One of the worst things that happened last year was the massive SolarWinds hack from mid-December that impacted government agencies and Fortune 500 companies. Hackers attempt attacks like this all the time, but the SolarWinds attack is more dangerous because it’s believed to have originated from Russia. The Kremlin might deny the operation, but experts have already pointed the finger at Russia since the early days of the investigation. More than two weeks after the hacks, Microsoft disclosed that the attackers were able to access a critical piece of software, the source code from one or more undisclosed products.
Microsoft explained in a blog post that the hackers were not able to modify the source code. But even just a glance at a source code from a company like Microsoft might be enough for hackers to develop new attacks that compromise other Microsoft products.
If a nation-state initiated the SolarWinds attack, then the source code access is even more important. Microsoft did not explain in its blog post what type of source code was seen, so it’s unclear what kind of software might be impacted. Let’s not forget that Microsoft makes plenty of software other than just Windows. The company produces tons of software, which explains why hackers would go after its secrets. The list includes the popular Office suite, as well as a variety of apps and cloud solutions. Many companies and government agencies depend on Microsoft software, and source code insights could offer attackers new ways to circumvent security solutions and penetrate targets in future attacks.
Microsoft published its new findings on December 31st, but Reuters reports that three people briefed on the matter said the software giant had already known for days that its source code had been breached during the attack.
“The source code is the architectural blueprint of how the software is built,” Cycode’s Andrew Fife told the news organization. Cycode is an Israel-based company that develops source code solutions. “If you have the blueprint, it’s far easier to engineer attacks.” Cycode’s chief technology officer Ronen Slavin wondered what sort of source code was accessed. “To me, the biggest question is, ‘Was this recon for the next big operation?’” Slavin asked.
This is how Microsoft described the unauthorized source code access:
We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories. The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated.
The company also explained that its investigation has found “no evidence of access to production services or customer data. The investigation, which is ongoing, has also found no indications that our systems were used to attack others.” The FBI is also investigating the SolarWinds attacks.
Microsoft did not name Russia in the post, but made it clear that it believes it’s fighting against “a very sophisticated nation-state actor.”
The company also says that it employs an “assume breach” philosophy in its security practices. That’s an assumption that attackers will breach its security. The company also explained that it uses open-source principles inside the company to make source code viewable within Microsoft. “This means we do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code,” the company wrote. “So viewing source code isn’t tied to elevation of risk.”
Microsoft’s blog post is meant to reassure governments and customers, but the fact remains that hackers might be in possession of the kind of secrets they shouldn’t have access to. Time will tell if gaining access to Microsoft’s source code will allow the same team of attackers to create even more sophisticated hacks.