The hackers behind one of the worst breaches in US history have read and downloaded some Microsoft source code, but there is no evidence that they were able to access production servers or customer data, Microsoft said on Thursday. The software maker also said it found no evidence that hackers used Microsoft’s commitment to target customers.
Microsoft released these findings after completing an investigation initiated in December, after learning that its network had been compromised. The breach was part of a comprehensive hack that compromised the distribution system for SolarWinds’ widely used Orion network management software and distributed malicious updates to Microsoft and around 18,000 other customers.
The hackers then used the updates to compromise nine federal agencies and about 100 private sector companies, the White House said on Wednesday. The federal government said the hackers were probably supported by the Kremlin.
In a post on Thursday morning, Microsoft said it had completed its investigation into its network hack.
“Our analysis shows that the first view of a file in a source repository was in late November and ended when we protected the affected accounts,” said Thursday’s report. “We continue to see unsuccessful attempts to access the actor until the beginning of January 2021, when the attempts stopped.”
The vast majority of the source code was never accessed and, for the repositories that were accessed, only “a few” individual files were seen as a result of a search of the repository, the company said. There has been no case where all repositories for a particular product or service were accessed, the company added.
For a “small” number of repositories, there was additional access, including downloading the source code. The affected repositories contained source code for:
- a small subset of Azure components (subsets of service, security, identity)
- a small subset of Intune components
- a small subset of Exchange components
Thursday’s report went on to say that, based on research that hackers carried out on repositories, their intention seemed to be to discover “secrets” included in the source code.
“Our development policy prohibits secrets in the code and we use automated tools to verify compliance,” wrote the company’s employees. “Because of the detected activity, we immediately started a verification process for current and historical branches of the repositories. We confirmed that the repositories were in compliance and did not contain any live production credentials. “
The hack campaign started at the most in October 2019, when attackers used the SolarWinds software build system in a test. The campaign was not discovered until December 13, when security firm FireEye, itself a victim, first revealed SolarWinds ‘commitment and the resulting attack on its customers’ software supply chain. Other affected organizations include Malwarebytes, Mimecast and the United States Department of Energy, Commerce, Treasury and Homeland Security.