Microsoft today disclosed its discovery that the attackers behind the SolarWinds breach and rigged software update had commandeered one of its internal accounts to view — but not alter — some of its source code "in a number of source code repositories."
The revelation is the latest twist in a complex breach believed to be perpetrated by Russian hackers on behalf the nation's SVR intelligence arm that has infiltrated major US government agencies, including the US State Department and Treasury, as well as major companies such as Microsoft and FireEye, the security giant that first detected and revealed the breach. The so-called Dark Halo group (aka UNC2452) infiltrated network management vendor SolarWinds' software build system and planted a backdoor called Sunburst into updates of the company's Orion software used by the victims. Some 33,000 organizations worldwide received the software update, and around 18,000 installed it on their systems — including Microsoft.
SolarWinds' Orion software wasn't the only initial attack vector, however. The Cybersecurity & Infrastructure Security Agency (CISA) said the attackers used other methods as well, which have not yet been publicly disclosed.
Microsoft said that the attackers' viewing its source code poses no increase in security risk because its security threat model assumes attackers have some knowledge of the code. One of Microsoft's user accounts was used by the attackers to view the company's source code, but the company said that account was not authorized to modify code or engineering systems. Microsoft was able to confirm no changes were made to the code, and the compromised user accounts have been "remediated."
"Our investigation has, however, revealed attempted activities beyond just the presence of malicious SolarWinds code in our environment. This activity has not put at risk the security of our services or any customer data, but we want to be transparent and share what we're learning as we combat what we believe is a very sophisticated nation-state actor," Microsoft said in the blog post today.