The devious hackers behind one of the drastic breaches in US history accessed and downloaded significant Microsoft source code. However, Microsoft stated that there’s no eligible evidence the hackers could access production servers or any customer data. Microsoft also stated that it found no evidence about the hackers using the Microsoft compromise services to attack any customers.
The company released the findings after completing a thorough investigation that started in December. It learned of the network compromise! The network breach was a part of a severe wide-ranging hack that held the distribution systems for the widely used Orion network-management software from the company SolarWinds. It also erupted malicious updates to Microsoft and around 18,000+ other customers. After that, the hackers used these updates to compromise nine major federal agencies and around 100 private-sector companies.
The federal government stated that the Kremlin most likely backed the hackers. A recent post by Microsoft stated that it conducted a thorough investigation into the network hack. “The analysis by Microsoft shows that the initial viewing of a file in a source code repository occurred late November and ended when Microsoft secured the affected accounts. We also witnessed several unsuccessful attempts to access by the actor into early January 2021, when the attempts thereby stopped.”
A significant part of the source code was never accessed. Microsoft stated that only a handful of individual files were viewed because of the repository search for the repositories that the hackers accessed. There was no case at all where the repositories for a specific product or service were accessed.
For a handful of the repositories, there were additional access codes, including downloading the source code. The affected repositories held the source codes for:
- A specific subset of Azure components (subsets of service, security, identity)
- A specific subset of Intune components
- A specific subset of Exchange components
The recent report also stated that based on the new searches that the hackers conducted on the repositories, their intent seemed to uncover “secrets” that the source code contains.
“The development policy of Microsoft prohibits any secrets in code, and we regularly conduct automated tools to verify any compliance,” Microsoft stated. “Because of the early detected activity, we could immediately initiate a thorough verification process for the current and historical branches of the various repositories. We thereby confirm that the repositories complied and didn’t have any live or production credentials.”
The hacking campaign started in October 2019, when the hackers used the SolarWinds software build system to conduct a test run. The hacking campaign wasn’t detected until December 13, when security firm FireEye, who was itself a victim, initially revealed the SolarWinds compromise and the resulting software supply chain attack on the customers. Other organizations that suffered include Malwarebytes, Mimecast, and the US departments of Energy, Commerce, Treasury, and Homeland Security.
