WASHINGTON (Reuters) – The hacking group behind the SolarWinds compromise was able to hack into Microsoft Corp and gain access to some of its source code, Microsoft said Thursday, according to experts, a worrying signal about the spies’ ambition.
Source code – the underlying set of instructions that run a software or operating system – is one of the most guarded secrets of a technology industry, and Microsoft has historically been particularly careful to protect it.
It is not clear how many or which parts of Microsoft’s source code repositories had access to the hackers, but the disclosure indicates that the hackers who used the software company SolarWinds as a springboard to hack into sensitive U.S. government networks were also interested in it. to the also the operation of Microsoft products.
Microsoft has already announced that, like other companies, malicious versions of SolarWinds’ software have been found in its network, but the disclosure of the source code – which appears in a blog post – is new. After Reuters reported two weeks ago that it had been violated, Microsoft said it had found no evidence of access to production services.
Three people who informed about the case said Microsoft had known for days that the source code had been obtained. A Microsoft spokesman said security workers worked “24 hours a day” and that “when there is information to share, it has been published and shared.”
The SolarWinds cap is one of the most ambitious cyber operations ever made public, endangering at least half a dozen federal agencies and potentially thousands of companies and other institutions. Investigators in the U.S. and private sectors spent the holidays flipping through logbooks to try to figure out if their data had been stolen or modified.
Modifying the source code – which Microsoft did not do according to the hackers – could have potentially disastrous consequences, given the ubiquity of Microsoft products, which include the Office productivity system and the Windows operating system. But experts said that even just reviewing the code could provide hackers with insights that could help them undermine Microsoft products or services.
“The source code is the architectural blueprint of how the software is built,” said Andrew Fife of the Israeli Cycode, a source protection company.
“If you have the blueprint, it’s much easier to design attacks.”
Matt Tait, an independent cyber security researcher, agreed that the source code could be used as a roadmap to hack Microsoft products, but he also warned that elements of the company’s source code were already widely shared – for example with foreign governments . He said he doubted Microsoft made the common mistake of leaving cryptographic keys or passwords in the code.
“It’s not going to affect the safety of their customers, at least not significantly,” Tait said.
Microsoft has noted that it allows broad internal access to its code, and former employees agreed that it is more open than other companies.
In its blog post, Microsoft said it found no evidence of access to production services or customer data.
“The investigation, which is ongoing, also found no indications that our systems were used to attack others,” he said.
Reuters reported a week ago that Microsoft-authorized retailers had been hacked and that their access to productivity programs within targets had been used to attempt to read email. Microsoft acknowledged that certain access vendors had been abused, but did not say how many retailers or customers had been infringed.
There has been no response to requests for comment from the FBI, which is investigating the burglary campaign, or from the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security.
U.S. officials attributed the SolarWinds burglary campaign to Russia, a claim the Kremlin denies.
Both Tait and Ronen Slavin, chief technology officer of Cycode, said an important unanswered question is which source code repositories are obtained. Microsoft has a wide range of products, from commonly used Windows to lesser known software, such as the social networking app Yammer and the design app Sway.
Slavin said he was concerned about the possibility that the SolarWinds hackers were worried about Microsoft’s source code as a predictor of a much more ambitious offense.
“For me, the biggest question is: ‘Was it for the next major operation again?'” He said.
Reporting by Raphael Satter and Joseph Menn; Edited by Chris Reese, Diane Craft and Daniel Wallis