It has been over two weeks since the US first noticed a massive cybersecurity breach, affecting at least eight federal agencies and hundreds of private sector companies. Alleged Russian hackers trojanized a software update from IT management firm SolarWinds that had clients in the government and private companies. However, even after two weeks, the fallout has continued. On Thursday (December 31), Microsoft revealed that its source code was accessed by the hackers.
While initially, Microsoft admitted that its network was also breached, the tech giant could not determine immediately what the hackers were looking for. On Thursday, in a blog post, Microsoft said that SolarWinds hackers were able to access its internal networks and a small number of internal accounts that were used as source code repositories. One of the accounts was used to view the source code.
However, fortunately, the hackers were not able to alter the source code as the account had read-only access and not full administrative privileges. "The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated," Microsoft said in the blog post.
Customer Data Not Compromised
After the US Treasury Department and other federal agencies admitted to suffering data breaches, Microsoft disclosed, on December 17, that it was also targeted by the same supply-chain attacks. Microsoft like other targets also used SolarWinds Orion, an IT monitoring software for its internal network.
But despite gaining access to internal networks, the hackers were not able to steal customer data or reach the production system. They didn't even weaponize Microsoft products to target its customers. The company said that it did not consider the viewing of source code a security risk. The investigations are ongoing to see any further damage.
"At Microsoft, we have an inner source approach — the use of open-source software development best practices and an open source-like culture — to making source code viewable within Microsoft," the Redmond-headquartered company said. It added that since it did not rely on source code for the security of the products, it didn't pose any elevation of risks.
Cyber Pearl Harbor
The SolarWinds attack was the biggest cyberattack in US history. The hackers — supposedly Cozy Bear, an infamous group with alleged links to Russian Intelligence Agency (GRU) — infiltrated SolarWinds back in October 2019 and hid the malicious code into a digitally signed software update.
Many politicians called it the cyber equivalent of the Japanese bombings at Pearl Harbor in 1941. While many of them — Democrats and Republicans alike — asked for retaliation, US President Donald Trump played down the attack, saying China could be behind it and not Russia even though Secretary of State Mike Pompeo acknowledged that it was the work of Russians.
The incoming Biden administration, however, is planning for sanctions and financial penalties, besides considerations for a retaliatory cyberattack on Moscow. President-Elect Joe Biden's Chief of Staff, Ron Klain, said the actions would go beyond sanctions. "It's not just sanctions. It's steps and things we could do to degrade the capacity of foreign actors to engage in this sort of attack," Klain told the CBS.