Microsoft says SolarWinds hackers stole source code for 3 products

By | February 18, 2021
Shadowy figures stand beneath a Microsoft logo on a faux wood wall.

The hackers behind one of the worst breaches in US history read and downloaded some Microsoft source code, but there’s no evidence they were able to access production servers or customer data, Microsoft said on Thursday. The software maker also said it found no evidence the hackers used the Microsoft compromise to attack customers.

Microsoft released those findings after completing an investigation begun in December, after learning its network had been compromised. The breach was part of a wide-ranging hack that compromised the distribution system for the widely used Orion network-management software from SolarWinds and pushed out malicious updates to Microsoft and roughly 18,000 other customers.

The hackers then used the updates to compromise nine federal agencies and about 100 private-sector companies, the White House said on Wednesday. The federal government has said that the hackers were likely backed by the Kremlin.

In a post Thursday morning, Microsoft said it had completed its investigation into the hack of its network.

“Our analysis shows the first viewing of a file in a source repository was in late November and ended when we secured the affected accounts,” Thursday’s report stated. “We continued to see unsuccessful attempts at access by the actor into early January 2021, when the attempts stopped.”

The vast majority of source code was never accessed, and for those repositories that were accessed, only a “few” individual files were viewed as a result of a repository search, the company said. There was no case in which all repositories for a given product or service were accessed, the company added.

For a “small” number of repositories, there was additional access, including the downloading of source code. Affected repositories contained source code for:

  • a small subset of Azure components (subsets of service, security, identity)
  • a small subset of Intune components
  • a small subset of Exchange components

Thursday’s report went on to say that, based on searches the hackers performed on repositories, their intent appeared to be uncovering “secrets” included in the source code.

“Our development policy prohibits secrets in code and we run automated tools to verify compliance,” company officials wrote. “Because of the detected activity, we immediately initiated a verification process for current and historical branches of the repositories. We have confirmed that the repositories complied and did not contain any live, production credentials.”

The hack campaign began no later than October 2019, when the attackers used the SolarWinds software build system in a test run. The campaign wasn’t discovered until December 13, when security firm FireEye, itself a victim, first revealed the SolarWinds compromise and the resulting software supply chain attack on its customers. Other organizations hit included Malwarebytes, Mimecast, and the US departments of Energy, Commerce, Treasury, and Homeland Security.