Ng Han Guan/AP
The group behind the suspected Russian attack into U.S. government agencies and private companies was able to hack into Microsoft’s internal systems and access some of the company’s source code, the tech giant said in a blog post on Thursday.
Microsoft had previously said it was among thousands of companies that discovered malware on its systems after downloading a routine software update from the company SolarWinds containing a possible “backdoor” for hackers to gain access to sensitive company data.
But the admission on Thursday is the first time Microsoft acknowledged that the attackers had successfully broken into the company’s systems and had viewed source code, the carefully guarded DNA of the company’s software products.
“We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories,” the company said. “The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated.”
Dmitri Alperovitch, a cybersecurity expert and chairman of Silverado Policy Accelerator, a Washington-based think tank, said while the breach appears to be a “serious issue” and can potentially make it easier for attackers to uncover additional vulnerabilities at Microsoft, the company’s worst fears were not realized.
“This attack was not as bad as it could have been for Microsoft,” Alperovitch said. “If they had modified the source code, or used it to introduce new backdoors, since Microsoft has billions of users out there in pretty much every organizations all around the planet, that would’ve been a very severe, very grave concern,” he said. “But that doesn’t appear to be the case.”
Many facts remain unknown about how the cyber attackers targeted Microsoft. It did not say what products the viewed source code was tied to, or how long the hackers were able to stay within the company’s systems.
“Is it Microsoft Cloud Services? Is it their Windows operating system? Is it Microsoft Office? That would be very helpful to know to understand what source code was accessed and what vulnerabilities may be in that source code now,” Alperovitch said.
David Kennedy, who runs the Ohio-based company TrustedSec LLC, which investigated the hack, offered additional questions.
“What type of source code was viewed? Does this impact authentication mechanisms and how usernames and passwords are protected? Are they in the operating system side of the house or future projects? These are key things we need to understand to know how deep this goes,” Kennedy said. “The more access they had, the greater potential damage there is in the future.”
In its blog post, Microsoft downplayed the significance of the attackers reading its source code, saying, unlike other tech companies, employees at the company have an “open source-like culture” to viewing source code within the firm. “So viewing source code isn’t tied to elevation of risk,” the company said.
That may be true, said security expert Kennedy, but having a group of malicious hackers from a foreign country reading a company’s source code is a completely different matter.
“Those are typically trusted employees within an organization that have access to source code and aren’t looking at it from an adversary’s perspective, ” he said. “This can be used by adversaries later on to launch additional attacks.”
Investigators are still probing the far-reaching attack, which has been traced back to October and compromised 18,000 private and government users who inadvertently downloaded a tainted software update from the Texas firm SolarWinds.
U.S. agencies including the Departments of State, Treasury, Commerce, Energy and Homeland Security were compromised.
But, as expert Alperovitch notes, what exactly the suspected Russian agents stole is still a mystery.
“This is just one more shoe to drop,” he said. “There will be many more in the coming months. We’ll learn about more victims, more data that was taken. So we’re just in the very early innings of this investigation.”