Microsoft Says SolarWinds Hackers Viewed Its Source Code

Microsoft has acknowledged that the hackers behind the SolarWinds cyber-attack accessed and viewed source code repositories within the company.

The company had previously disclosed that it, like thousands of other companies, made internal use of the software used in the attack, SolarWinds’ Orion network management software.

The disclosure that hackers viewed its source code is new, however.

Microsoft said in a blog post the attackers gained access to a small number of internal accounts, which they used to view the repositories.

Code access

The company said the source code was not altered as the accounts in question were not authorised to do so.

Microsoft did not indicate which products the repositories pertained to.

It said the hackers did not escalate their attack to access production systems or customer data, or use their access to Microsoft’s systems to stage attacks on the company’s customers around the world.

The company said its investigation is ongoing.

The hacking group in question inserted backdoor code into SolarWinds’ Orion platform in March of 2020 and used this to access the systems of at least half-a-dozen US federal agencies as well as potentially thousands of private firms before the attack was discovered in December.

Some US officials have accused the Russian government of being behind the attack, which Russia denies.

‘Open’ environment

Security experts have said it is likely to take months for organisations to review system logs and determine what data may have been accessed and whether the intruders still have a foothold.

British security sources have said that in the UK, a small number of organisations outside of the public sector appear to have been affected.

SolarWinds issued a fix for the Orion breach shortly after it was discovered in December.

Microsoft downplayed the seriousness of hackers’ access to its source code, saying the security of its products does not depend upon the code’s secrecy.

The company said it employs an “open source-like” development approach allowing the code to be broadly viewed within the company.

Security

“This means we do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code. So viewing source code isn’t tied to elevation of risk,” the company said.

Microsoft has emphasised this approach in recent years, particularly following security incidents that led to the leak of the source code of Windows 10, Windows Server 2013 and other products.

However, in the early 2000s the company waged a publicity war against open source software, with then-chief executive Steve Ballmer comparing the open source development model to a “cancer”.