Microsoft Reveals That Russian Attackers Accessed Some of Its Source CodeMicrosoft Reveals That Russian Attackers Accessed Some of Its Source Code
Malicious SolarWinds Orion backdoor installed in Microsoft's network led to the attackers viewing some of its source code.
January 1, 2021
Microsoft today disclosed its discovery that the attackers behind the SolarWinds breach and rigged software update had commandeered one of its internal accounts to view — but not alter — some of its source code "in a number of source code repositories."
The revelation is the latest twist in a complex breach believed to be perpetrated by Russian hackers on behalf the nation's SVR intelligence arm that has infiltrated major US government agencies, including the US State Department and Treasury, as well as major companies such as Microsoft and FireEye, the security giant that first detected and revealed the breach. The so-called Dark Halo group (aka UNC2452) infiltrated network management vendor SolarWinds' software build system and planted a backdoor called Sunburst into updates of the company's Orion software used by the victims. Some 33,000 organizations worldwide received the software update, and around 18,000 installed it on their systems — including Microsoft.
SolarWinds' Orion software wasn't the only initial attack vector, however. The Cybersecurity & Infrastructure Security Agency (CISA) said the attackers used other methods as well, which have not yet been publicly disclosed.
Microsoft said that the attackers' viewing its source code poses no increase in security risk because its security threat model assumes attackers have some knowledge of the code. One of Microsoft's user accounts was used by the attackers to view the company's source code, but the company said that account was not authorized to modify code or engineering systems. Microsoft was able to confirm no changes were made to the code, and the compromised user accounts have been "remediated."
"Our investigation has, however, revealed attempted activities beyond just the presence of malicious SolarWinds code in our environment. This activity has not put at risk the security of our services or any customer data, but we want to be transparent and share what we're learning as we combat what we believe is a very sophisticated nation-state actor," Microsoft said in the blog post today.
About the Author(s)
You May Also Like
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
What's In Your Cloud?Nov 30, 2023
Everything You Need to Know About DNS AttacksNov 30, 2023
9 Traits You Need to Succeed as a Cybersecurity Leader
The Ultimate Guide to the CISSP
The Evolving Ransomware Threat: What Business Leaders Should Know About Data Leakage
Protecting Critical Infrastructure: The 2021 Energy, Utilities, and Industrials Cyber Threat Landscape Report
2021 Banking and Financial Services Industry Cyber Threat Landscape Report