The hackers behind one of the worst breaches in US history read and downloaded Microsoft’s source code, but there’s no evidence they had access to production servers or customer data, Microsoft said Thursday. The software maker also said it has found no evidence that the hackers used the Microsoft compromise to attack customers.
Microsoft released those findings after completing an investigation that began in December after learning that its network had been compromised. The breach was part of a large-scale hack that compromised the distribution system for SolarWinds’ widely used Orion network management software and pushed malicious updates to Microsoft and about 18,000 other customers.
The hackers then used the updates to compromise nine federal agencies and about 100 private sector companies, the White House said Wednesday. The federal government has said the hackers were likely backed by the Kremlin.
In a message Thursday morning, Microsoft said it had completed its investigation into the hack of its network.
“Our analysis shows that the first viewing of a file in a resource repository was in late November and ended when we secured the affected accounts,” the report said on Thursday. “We continued to see unsuccessful attempts at access by the actor until early January 2021, when the attempts stopped.”
The vast majority of source code was never opened, and for those repositories that were opened, only “a few” individual files were viewed as a result of a repository search, the company said. There was no instance where all repositories were used for a particular product or service, the company added.
For a “small” number of repositories, there was additional access, including source code download. Affected repositories contain source code for:
- a small subset of Azure components (subsets of service, security, identity)
- a small subset of Intune components
- a small subset of Exchange components
Thursday’s report went on to say that, based on searches the hackers conducted on repositories, their intent appeared to be to expose “secrets” in the source code.
“Our development policy prohibits secrets in code and we use automated tools to verify compliance,” company officials wrote. “Due to the activity detected, we immediately initiated a verification process for current and historical branches of the repositories. We have confirmed that the repositories are compliant and do not contain live production data.”
The hacking campaign began no later than October 2019, when the attackers tested the SolarWinds software building system. The campaign was not discovered until December 13, when security firm FireEye, itself a victim, first revealed the SolarWinds compromise and resulting software supply chain attack on its customers. Other organizations affected included Malwarebytes, Mimecast and the US Departments of Energy, Commerce, Finance and Homeland Security.