The group of hackers behind the SolarWinds deal managed to break into Microsoft and access part of its source code, Microsoft said on Thursday, something experts said had sent a worrying signal about the spies’ ambition.
Source code – the underlying set of instructions that runs a piece of software or an operating system – is usually among a technology company’s best kept secrets, and Microsoft historically has been particularly careful to protect it.
It is unclear how much or which parts of Microsoft’s source code repositories hackers were able to access, but the disclosure suggests that hackers who used software company SolarWinds as a springboard to break into US government networks were also interested in discovering the inner workings Microsoft products as well.
Microsoft has previously reported that, like other companies, it has found malicious versions of SolarWinds software within its network, but the disclosure of the source code – made in a blog post – is new. After Reuters said it was breached two weeks ago, Microsoft said it had “found no evidence of access to production services”.
Three people informed on the matter said that Microsoft had known for days that the source code had been accessed. A Microsoft spokesman said security workers worked “24 hours a day” and that “when there is actionable information to share, they publish and share it”.
The SolarWinds hack is among the most ambitious cyber operations ever released, compromising at least half a dozen federal agencies and potentially thousands of companies and other institutions. US and private sector investigators spent the holiday sifting through records to try to understand whether their data was stolen or modified.
Modifying the source code – which Microsoft said hackers did not do – can have potentially disastrous consequences, given the ubiquity of Microsoft products, which include the Office productivity suite and the Windows operating system. But experts say that just being able to review the code can offer hackers a vision that can help them subvert Microsoft’s products or services.
“The source code is the architectural design of how the software is built,” said Andrew Fife of Cycode, an Israel-based source code protection company.
“If you have the plan, it is much easier to engineer attacks.”
Matt Tait, an independent cybersecurity researcher, agreed that the source code could be used as a roadmap to help hack Microsoft products, but also warned that elements of the company’s source code were already widely shared – for example, with foreign governments. He said he doubted that Microsoft made the common mistake of leaving cryptographic keys or passwords in the code.
“It will not affect the safety of its customers, at least not substantially,” said Tait.
Microsoft noted that it allows ample internal access to its code, and former employees have agreed that it is more open than other companies.
In its blog post, Microsoft said it found no evidence of access “to production services or customer data”.
“The investigation, which is ongoing, also found no evidence that our systems were used to attack others,” he said.
Reuters reported a week ago that authorized Microsoft resellers were hacked and their access to targeted productivity programs leveraged in attempts to read e-mail. Microsoft acknowledged that some vendors’ access was misused, but did not say how many resellers or customers may have been breached.
There was no response to requests for comment from the FBI, which is investigating the hacking campaign, or the Department of Homeland Security’s Infrastructure and Cybersecurity Agency.
American officials attributed SolarWinds’ hacking campaign to Russia, a claim the Kremlin denies.
Both Tait and Ronen Slavin, chief technology officer at Cycode, said that one of the main unanswered questions was which source code repositories were accessed. Microsoft has a wide range of products, from the widely used Windows to lesser-known software, such as the social networking app Yammer and the design app Sway.
Slavin said he was concerned that the hackers at SolarWinds were poring over Microsoft’s source code as a prelude to a much more ambitious offensive.
“For me, the biggest question is, ‘Was that recognition for the next big thing?'” He said.