The hackers behind one of the worst violations in U.S. history have read and downloaded Microsoft’s source code, but there is no evidence that they were able to access production servers or customer data, Microsoft said Thursday. The software maker also said it had no evidence that hackers used the Microsoft compromise to attack customers.
Microsoft released the findings after an investigation launched in December was completed, after the network was compromised. The breach was part of an extensive hack that compromised the distribution system for SolarWinds’ widely used Orion network management software and issued malicious updates to Microsoft and about 18,000 other customers.
The hackers then used the updates to compromise nine federal agencies and about 100 private businesses, the White House said Wednesday. The federal government has said the hackers are likely to be backed by the Kremlin.
In a report Thursday morning, Microsoft said it had completed its investigation into the hacking of its network.
“Our analysis shows that the first file in a source repository was only in late November and that it ended when we secured the relevant accounts,” reads the report from Thursday. “We continued to see unsuccessful access attempts by the actor in early January 2021, when the efforts stopped.”
The vast majority of the source code is never available, and for the repositories accessed, only a few “individual files were seen as a result of a repository for repositories,” the company said. all repositories for a particular product or service have been obtained, the company added.
For a ‘small’ number of repositories, there was additional access, including downloading source code. Affected repositories contain source code for:
- a small subset of Azure components (service, security, identity chassis)
- a small subset of Intune components
- a small subset of Exchange components
Thursday’s report further said that based on searches conducted by the hackers at repositories, it appears that a “secret” in the source code is being uncovered.
“Our development policy prohibits secrets in code and we use automated tools to verify compliance,” industry officials wrote. ‘Due to the detected activity, we immediately started a verification process for current and historical branches of the repositories. We have confirmed that the repositories comply with it and do not contain any live production evidence. ”
The hack campaign started no later than October 2019 when the attackers used the SolarWinds software building system in a test run. The campaign was only discovered on December 13, when security firm FireEye, itself a victim, first unveiled the SolarWinds compromise and the resulting software supply chain attack on its customers. Other organizations affected include Malwarebytes, Mimecast and the U.S. Department of Energy, Commerce, Treasury and Homeland Security.