The hackers who used SolarWinds software to conduct a cyber attack against the U.S. federal supply chain in 2020 also gained access to Microsoft’s internal network. They used accounts to view repositories containing source code for Microsoft products, although they weren’t able to change any of this code. The software giant also reported the incident had little effect on the security or quality of its software.
What Happened
The cyber attack began no later than March 2020 and involved exploiting software from at least three U.S. companies, including Microsoft, SolarWinds and VMware. Flaws in these products allowed the attackers to access internal documents and authenticate themselves as authorized users on systems requiring only one sign-on. In the case of SolarWinds, attackers were able to insert malware inside updates for the company’s Orion platform.
This malware was able to forge Security Assertion Markup Language (SAML) tokens, allowing it to access the internal networks of thousands of government agencies and private companies, including Microsoft. The software giant uses Orion to monitor the performance of its networks, so attackers were able to deliver the malware via Orion updates. Microsoft initially reported its discovery of this malware on December 17, 2020.
Investigation
Microsoft updated the results of its internal investigation into the SolarWinds incident on December 31, 2020. The company disclosed that it detected malicious code in Orion within its environment, which it isolated and removed. Microsoft’s investigation failed to discover any evidence that the attack was able to modify any of its tools, techniques and procedures (TTPs). They also found no evidence that the attackers were able to access production services or customer data. Furthermore, there were are no indications that they used Microsoft’s systems to attack other parties.
However, the investigation did show additional intrusion attempts not related to the malicious code in Orion. This activity didn’t compromise the security of Microsoft’s services or customer data, although it’s highly sophisticated and appears to be sponsored by a country. Some accounts exhibited unusual activity, which included viewing source code in multiple repositories. These accounts were read-only, so they didn’t have the authority to modify code or change any systems. Further investigation confirmed that the accounts failed to make any changes and were subsequently remediated. Microsoft adds that it will continue to share what it learns about these attacks in the interest of transparency.
Response
Microsoft emphasized that the act of viewing some source code didn’t compromise the security of its products because it uses an inner source approach to software development. This philosophy means that Microsoft adheres to many best practices in open source development and has an open source culture. As a result, insiders can readily view Microsoft source code. These practices mean that the company’s threat models don’t rely on the secrecy of source code because they already assume attackers have this information. An attacker viewing source code therefore doesn’t increase the risk to Microsoft, its products or customers.
Microsoft has made its approach to software development clear in previous disclosures of its source code. Insiders have already leaked the source for many of its operating systems, including Windows 10, Windows XP, Windows 2000, Windows Server 2013 and Windows NT.
malware-shark flickr photo by Electronic_Frontier_Foundation shared under a Creative Commons (BY) license
