Microsoft has issued an update about its ongoing internal investigation of the SolarWinds hack that had reportedly compromised a few of its internal systems. The tech giant has now confirmed that it traced a compromised account used to “view source code” of its internal code structure.
Earlier in December 2020, the entire world shook to the tremors of the SolarWinds supply chain attack. The White House issued a press release stating multiple that government agencies and departments, including the U.S. Department of Treasury, a section of the U.S. Department of Commerce, and the National Nuclear Security Administration (NNSA), among others, were compromised during the widespread attack.
Mayday for Tech Giants
This hack was not just limited to the government institutions, but tech giants like Microsoft, Boeing, FireEye, etc., were also affected. In mid-December 2020, Microsoft, in an official notification, accepted that they “were hacked.” As a precautionary measure, they successfully created a Killswitch in collaboration with other industry heavyweights like FireEye and GoDaddy. The killswitch was devised to stop the spread of Sunburst malware. Microsoft further informed its partners and customers that the investigation of their compromise was ongoing and that they would issue regular updates about it.
Microsoft Issues Update
Staying true to its word, Microsoft issued an update of its internal investigation on New Year’s Eve. The update noted the following observations:
- No evidence of the attackers accessing production services or customer data of Microsoft.
- No indications of Microsoft’s systems being used to attack others.
- No evidence of the common TTPs (tools, techniques, and procedures) related to the abuse of forged SAML tokens found being used against Microsoft’s corporate domains.
- Detected unusual activity with a small number of internal accounts. Upon review, it was found that one of the compromised accounts was used to view source code in several source code repositories.
- This unauthorized access has however not put Microsoft under any security risk as the compromised account had only viewing rights and no modification rights.
- The affected accounts have now been remediated.
- Evidence of multiple attempts to penetrate the systems has been recorded by Microsoft. However, its usage of Privileged Access Workstations (PAW) along with a host of other industry proposed standard protection practices made it possible to thwart these attacks.
Viewing the Source Code, No Big Deal!
Generally, when attackers gain access to the source code of any structure, software, application, and so on, it makes the developers break into a sweat simply because they can then find the vulnerabilities and attack them again in the future. However, Microsoft in its update suggested otherwise.
At Microsoft, we have an inner source approach – the use of open-source software development best practices and an open source-like culture – to making source code viewable within Microsoft. This means we do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code. So, viewing source code is not tied to elevation of risk.
As with many companies, we plan our security with an ‘assume breach’ philosophy and layer in defense-in-depth protections and controls to stop attackers sooner when they do gain access.