The hacking group behind the SolarWinds compromise managed to split Microsoft and access a number of its source code, Microsoft said on Thursday, something specialists said delivered a worrying signal concerning the spies’ ambition.
Source code – the underlying set of instructions that run a piece of software or operating system – is typically among a technology company’s most closely guarded secrets and Microsoft has historically been particularly careful about protecting it.
Microsoft had already disclosed that like other firms it found malicious versions of SolarWinds’ software inside its network, but the source code disclosure – made in a blog post – is new. After Reuters reported that it was breached fourteen days ago, Microsoft said it had not “found any evidence of access to production services.”
Three individuals briefed on the matter said Microsoft had known for days that the source code had been obtained. A Microsoft spokesman said safety personnel had been working “around the clock” and that “when there is actionable information to share, they have published and shared it.”
The SolarWinds hack is among the most ambitious cyber operations ever disclosed, compromising at least half-a-dozen national agencies and potentially thousands of organizations and other associations. US and private business researchers have spent the holidays combing through logs to try to know whether their data was stolen or altered.
Modifying source code – that Microsoft said the hackers didn’t do – could have potentially devastating consequences given the ubiquity of Microsoft products, including the Office productivity package and the Windows operating system. But experts said that just being able to review the code could offer hackers insight that might help them subvert Microsoft goods or services.
“The source code is the architectural blueprint of how the software is built,” said Andrew Fife of Israel-based Cycode, a source code protection company.
“If you have the blueprint, it’s far easier to engineer attacks.”
Matt Tait, an unaffiliated cybersecurity researcher, consented that the source code may be used as a roadmap to help hack Microsoft products, but he also cautioned that components of the organization’s source code were already shared – for example with overseas authorities. He said he doubted that Microsoft had made the frequent error of leaving cryptographic keys or passwords in the code.
“It’s not going to affect the security of their customers, at least not substantially,” Tait said.
Microsoft noted that it permits broad internal access to its code, and former employees agreed that it is more open than other businesses.
In its blog post, Microsoft said that it had found no evidence of access “to production services or customer data.”
Journalists at our partner news agency Reuters reported a week ago that Microsoft-authorized resellers were hacked and also their access to productivity programs inside targets leveraged in efforts to see email. Microsoft acknowledged some seller access was misused but has not said how many stores or clients might have been breached.
There was no response to requests for comment from the FBI, which is investigating the hacking effort, or from the Department of Homeland Security’s Cybsersecurity and Infrastructure Security Agency.
US officials have attributed the SolarWinds hacking campaign into Russia, an allegation the Kremlin denies.
The two Tait and Ronen Slavin, Cycode’s CTO, said a key unanswered question was which source code repositories were obtained. Microsoft has a huge array of merchandise, from popular Windows to lower known software such as social networking app Yammer along with the design app Sway.
Slavin said he had been worried by the risk that the SolarWinds hackers were poring over Microsoft’s source code as prelude to a much harder offensive.
“To me the biggest question is, ‘Was this recon for the upcoming big surgery?'” He explained.
The team at Platform Executive hope you have enjoyed this news article. Initial reporting via our official content partners at Thomson Reuters. Reporting by Raphael Satter and Joseph Menn. Editing by Chris Reese, Diane Craft and Daniel Wallis.
Stay on top of the latest developments across the platform economy and gain access to our problem-solving tools, proprietary databases and content sets by becoming a member of our community. For a limited time, premium subscription plans start from just $7 per month.