Microsoft Confirms Its Source Code Was Accessed In Expansive SolarWinds Hacking Spree
Earlier in December, we reported that hackers had breached the SolarWinds Orion platform, a software package dedicated to IT resource management. Ever since it was reported that the breach stretched back to Spring of 2020, numerous government agencies and private companies have indicated that they too were breached. Microsoft, who was at the tip of the spear when it came to the response, reported that it had been breached as well. Now, Microsoft says hackers viewed source code repositories and tried to expand their capabilities on the Microsoft network.
Since beginning its investigation on December 17th, Microsoft has maintained that no customer data or production services were accessed. The company has also reported that its systems were not used to attack other companies. However, in an effort to be transparent, Microsoft is reporting that some internal accounts were used to view source code for several products.
While attackers viewing source code could be concerning in some cases, Microsoft has a decent approach for when something like this happens. First, there are not many accounts that can likely edit source code so that backdoors can be added. The accounts the attackers used did not have the necessary permissions to edit the code, thankfully. Microsoft also states that they use an “inner source” approach to development, where code is viewable within Microsoft. This also makes Microsoft’s threat models operate so they assume attackers know the source code. Therefore, “viewing source code isn’t tied to elevation of risk.”
Moreover, Microsoft plans security around “assumed breaches” and has many layers of security waiting for an attacker to trigger them. Some of the security layers were tripped when the SolarWinds attacker tried to gain more privileges, and the attacker was stopped in their tracks. As Microsoft states, this attacker being stopped “re-iterate[s] the value of industry best practices.” It is less a question of if you will be hacked, but when.