An illicit account associated with the widespread SolarWinds hack was used to view some of Microsoft’s internal source code, the company disclosed Thursday morning.
Microsoft says its investigation found that the account was unable to modify any code or engineering systems. The company also reiterated that it has yet to find evidence that hackers accessed live services or customer data, or used Microsoft’s systems to attack others.
Yet the disclosure illustrates that the implications of the incident are still unfolding, more than two weeks after the unprecedented cyberattack began to make headlines.
“This activity has not put at risk the security of our services or any customer data, but we want to be transparent and share what we’re learning as we combat what we believe is a very sophisticated nation-state actor,” the company said in its post on the Microsoft Security Response Center blog.
“We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories,” the post said. “The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated.”
The sophisticated attacks are believed to be the work of the same Russian hacking group responsible for the 2016 attacks on the Democratic National Committee.
Hackers were able to infiltrate business and government computer systems by illicitly inserting malware into software updates for a widely used IT infrastructure management product, the Solarwinds Orion Platform. SolarWinds, based in Austin, Texas, said about 18,000 customers may have installed the compromised software.
Major U.S. government agencies are among those impacted. The U.S. Cybersecurity and Infrastructure Security Agency said previously that the attacks pose “a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations.”
In its Thursday post, Microsoft says its internal practices start with the assumption that a hacker will gain access in a breach, and work to prevent further infiltration or damage. In this case, the company says, “We have found evidence of attempted activities which were thwarted by our protections, so we want to re-iterate the value of industry best practices such as outlined here, and implementing Privileged Access Workstations (PAW) as part of a strategy to protect privileged accounts.”
Microsoft has separately made a series of aggressive moves to stymie the attacks, taking steps to safeguard Windows from the hacks, while seizing control of a key domain used in the attacks. However, the attacks are believed to have been taking place surreptitiously since March. Security experts and government officials have said the full scope of the impact isn’t yet clear.
SolarWinds is a Microsoft Office 365 customer, and said in a Dec. 14 regulatory filing that it was “made aware of an attack vector that was used to compromise the Company’s emails and may have provided access to other data contained in the Company’s office productivity tools.” SolarWinds said it was working with Microsoft to investigate whether this attack was associated with the attack on its Orion software build system.
An earlier analysis for GeekWire by Christopher Budd, a security specialist who worked previously in Microsoft’s Security Response Center, found that SolarWinds attackers “have targeted authentication systems on the compromised networks so they can log in to cloud-based services like Microsoft Office 365 without raising alarms.”
Based on the information disclosed Thursday by Microsoft, the incident at the company has shifted to Stage II of Budd’s “hack scale,” in which attackers “have moved to the broader network and are in ‘read-only’ mode, meaning they can read and steal data but not alter it.”