From Han Guan / AP
The tech giant said the group behind the suspected Russian attack on US government agencies and private companies had managed to infiltrate Microsoft’s internal systems and gain access to some of the company’s source code. Blog post Thursday.
Microsoft said earlier that it was among thousands of companies that discovered malware on its systems after downloading a routine software update from SolarWinds that contained a possible “back door” for hackers to access sensitive company data.
But the admission on Thursday is the first time that Microsoft has admitted that the attackers had successfully compromised the company’s systems and had access to the source code, the DNA of the company’s carefully protected software products.
“We discovered unusual activity with a small number of internal accounts, and upon audit, we discovered that one account was used to display source code in a number of source code repositories,” the company said. “The account did not have permissions to modify any code or engineering systems and our investigation also confirmed that no changes were made. These accounts were investigated and processed.”
Dmitry Alberovic, a cybersecurity expert and chair of the Silverado Policy Accelerator, a Washington-based think-tank, said that while the breach appears to be a “serious problem” and could make it easier for attackers to discover additional vulnerabilities at Microsoft, the company’s worst concerns have not materialized. .
“This attack was not as bad as it could have been for Microsoft,” Alberovic said. “If they modified the source code, or used it to introduce new backdoors, given that Microsoft has billions of users in nearly every organization around the world, that would be a very serious concern,” he said. “But that does not appear to be the case.”
Several facts remain unknown about how Microsoft’s cyber attackers were targeted. It did not mention which products the offered source code was linked to, or how long the hackers could stay within the company’s systems.
“Is it Microsoft Cloud Services? Is it their Windows operating system? Is it Microsoft Office? That would be very useful to find out what source code has been accessed and what vulnerabilities might be in this source code now,” said Albirowitz.
David Kennedy, who runs the Ohio-based TrustedSec LLC that investigated the hack, asked additional questions.
“What type of source code has been displayed? Does this affect authentication mechanisms and how are usernames and passwords protected? Are they on the OS side of the home or future projects? These are the basic things we need to understand to find out how deep this is,” Kennedy said. “The greater their access, the greater the potential damage in the future.”
On its blog, Microsoft played down the importance of attackers reading its source code, saying, unlike other tech companies, employees in the company have a “open source-like culture” of displaying the source code within the company. “Therefore, displaying the source code is not linked to increased risk,” the company said.
This may be true, said the Kennedy security expert, but having a bunch of vicious hackers from a foreign country reading the company’s source code is a completely different matter.
“These are usually trusted employees within an organization who have access to the source code and do not view it from the opponent’s perspective,” he said. “The opponents can use this later to launch additional attacks.”
Investigators are still investigating the long-range attack, which was tracked through October and resulted in the penetration of 18,000 private and government users who inadvertently downloaded a tainted software update from SolarWinds in Texas.
US agencies have been compromised including the Departments of State, Treasury, Trade, Energy, and Homeland Security.
But, as the expert notes, what the suspected Russian agents stole remains a mystery.
He said, “This is just one more shoe that needs to be dropped.” “There will be more in the coming months. We will learn more victims, and more data taken. So we are at the beginning of this investigation.”