The hacking group behind the SolarWinds compromise was able to break into Microsoft and gain access to some of its source code, Microsoft said Thursday, which experts said had sent a worrying signal about the spies’ ambition.
Source code – the underlying set of instructions that runs software or an operating system – is usually one of a tech company’s most closely kept secrets, and Microsoft has always been particularly careful to protect it.
It is not known how many or which parts of Microsoft’s source code repositories the hackers were able to access, but the disclosure suggests that hackers who used software company SolarWinds as a springboard to break into sensitive U.S. government networks also had an interest. learn about the inner workings of Microsoft products.
Microsoft had previously revealed that, like other companies, it had found malicious versions of SolarWinds software in its network, but the source code disclosure – made in a blog post – is new. After Reuters reported a breach two weeks ago, Microsoft said it had “found no evidence of access to production services.”
Three people briefed on the matter said Microsoft had known for days that the source code had been viewed. A Microsoft spokesperson said security workers work “around the clock” and “when there is actionable information to share, they’ve published and shared it.”
The SolarWinds hack is among the most ambitious cyber operations ever revealed, compromising at least half a dozen federal agencies and potentially thousands of businesses and other institutions. U.S. and private investigators have spent the vacations scouring the newspapers to try to figure out if their data has been stolen or altered.
Changing the source code – something Microsoft said the hackers did not do – could have potentially dire consequences given the ubiquity of Microsoft products, which include the Office productivity suite and the Windows operating system. But experts have said that just being able to revise the code could offer hackers information that could help them subvert Microsoft products or services.
“Source code is the architectural blueprint of how software is built,” said Andrew Fife of Cycode, an Israel-based source code protection company.
“If you have the master plan, it’s a lot easier to design attacks.”
Matt Tait, an independent cybersecurity researcher, agreed that the source code could be used as a roadmap to help hack Microsoft products, but he also warned that parts of the company’s source code were already widely shared – by example with foreign governments. He said he doubted Microsoft made the common mistake of leaving cryptographic keys or passwords in the code.
“It won’t affect the safety of their customers, at least not substantially,” Tait said.
Microsoft noted that it allows wide internal access to its code, and former employees agreed it was more open than other companies.
In its blog post, Microsoft said it had found no evidence of access to “production services or customer data.”
“The investigation, which is ongoing, has also found no indication that our systems have been used to attack other people,” he said.
Reuters reported a week ago that Microsoft authorized resellers were hacked into and their access to productivity programs inside targets exploited in an attempt to read emails. Microsoft acknowledged that some vendor access was misused, but did not indicate how many resellers or customers may have been breached.
There was no response to requests for comment from the FBI, which is investigating the hacking campaign, or the Department of Homeland Security’s Cybsersecurity and Infrastructure Security Agency.
U.S. officials have blamed the SolarWinds hack campaign on Russia, an allegation the Kremlin denies.
Tait and Ronen Slavin, CTO of Cycode, said that one of the main unanswered questions was what source code repositories were accessed. Microsoft offers a wide range of products, ranging from widely used Windows to lesser-known software such as the Yammer social networking app and the Sway designer app.
Slavin expressed concern that the SolarWinds hackers could look into Microsoft’s source code as a prelude to a much more ambitious offensive.
“For me the biggest question is, ‘Was that recognition for the next big deal? “, He said.