As part of its ongoing investigations in the SolarWinds cyberattack, Microsoft has revealed that its internal source code was likely accessed by the attackers. The company had earlier confirmed that it too was compromised is what is being seen as one of the world’s largest cyberattack, that primarily targeted the United States (US) government and several other private organisations. The SolarWinds cyberattack was first revealed in December by cyber-security firm FireEye.
Q. What has Microsoft revealed in its new investigations?
Microsoft’s internal security research team has found evidence that the attackers accessed some internal source code in the company’s systems. The ‘Solorigate incident’ as Microsoft has termed it in the blog, showed there were “attempted activities beyond just the presence of malicious SolarWinds code in our environment.”
They detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories.” According to them, the account did not have required permissions to access the code, to modify it, nor was it authorised to access the engineering systems.
The company says so far the investigation confirmed no changes were made to this source code. “These accounts were investigated and remediated,” adds the company.
Q. What does this mean?
Microsoft has not confirmed what source code was accessed by the hackers. However, the fact that the hackers got in so deep is quite worrying, given source code is crucial to how any piece of software works. Source code is the key to how a software product is built and if compromised could leave it open to new, unknown risks. Hackers could use this information to exploit any potential weakness in the programmes.
Microsoft says “this activity has not put at risk the security of our services or any customer data,” but adds they believe this attack was carried out by “a very sophisticated nation-state actor.” The company says that there’s no evidence that its systems were used to attack others.
Q. What else has Microsoft revealed?
Microsoft says they rely on “open source software development best practices” and “an open source-like culture” for development of software. Typically, source code is viewable by teams within Microsoft, according to the blog. The company also notes that its threat models “assume that attackers have knowledge of source code.” Microsoft is downplaying the risk saying just viewing the source code should not cause any new elevated risks.
Microsoft says it has plenty of defense protections in place to stop attackers if and when they do gain access. It says there is evidence the activities of the hackers were “thwarted” by the company’s existing protections.
Q. What else has been revealed in this SolarWinds hack?
The problem with this cyberattack is that it has been going on for so long that the full scale remains unknown. In fact, the attack may have started earlier than last spring as previously believed.
The sheer scale of the attack also remains unknown, according to most reports. Meanwhile, FireEye, which discovered the attack, has revealed new details about the Sunburst malware. The malware exploited the SolarWinds Orion software, which is used by thousands of companies, including several US government agencies.
According to FireEye, Sunburst — a malicious version of a digitally signed SolarWinds Orion plugin– contains a backdoor that communicates via HTTP to third-party servers. It appears that the plugin remains “dormant period of up to two weeks,” after which it starts executing commands and carrying out tasks such as “transfer of files, execute files, profile the system, reboot the system, and disable system services.”
It also appears that the malware “performs numerous checks to ensure no analysis tools are present,” according to FireEye. This cautious approach is what helped the malware “evade detection by anti-virus software and forensic investigators for seven months after its introduction to the SolarWinds Orion supply chain,” according to the cyber-security firm.