Microsoft confirmed that viewing source code doesn’t elevate the risk.
While Microsoft is busy investigating the massive SolarWinds cyberattack campaign in which dozens of US government and private institutions were attacked, the company made another startling revelation that has given a whole new twist to the entire SolarWinds fiasco.
Microsoft Source Code Exposed
Microsoft’s Security Response Center team has identified that its systems were infiltrated beyond the malicious SolarWinds code. In its latest update regarding the SolarWinds’ investigation, Microsoft revealed that hackers had viewed its source code “in a number of source code repositories.”
However, the hacked account used to access the source code didn’t offer permission to modify the code or systems.
The Harmless Intrusion
According to a blog post published by Microsoft’s research team, hackers did manage to delve deeper into its systems, but the intrusion hasn’t caused any additional harm. It seems like Microsoft is playing down the risk associated with this further intrusion.
The company further stated that its software development relies on the inner source, which is a practice that involves code sharing within the company. Since it doesn’t rely on keeping the program code a secret and utilizes other defensive mechanisms to prevent attacks, the incident didn’t cause any harm to its systems’ security.
No Customer Data Accessed
Microsoft has confirmed that there’s no evidence that the hacker managed to access customer data or used its systems to target other systems. The company explained that the hack began in March, around the same time when the malicious code was injected into the SolarWinds software updates.
Microsoft collaborated with cybersecurity firm FireEye, which itself was targeted in the campaign, to respond to the breach.
We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories. The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated, wrote the MSRC Team.
Possible Involvement of a Nation-State
The US officials believe that the Russian government is backing the SolarWinds hacking campaign. Microsoft also hinted at the involvement of a ‘sophisticated nation-state actor’ in this hacking spree. Brad Smith, Microsoft president, stated that this attack is a reckoning moment for the cybersecurity fraternity.
“This is not ‘espionage as usual. In effect, this is not just an attack on specific targets, but on the trust and reliability of the world’s critical infrastructure in order to advance one nation’s intelligence agency,” Smith said.
In December, Microsoft identified over 40 government organizations, private companies, think tanks, and non-government entities targeted possibly by Russian state-sponsored actors. However, Russia has denied any involvement in this campaign.