Microsoft says SolarWinds hackers downloaded some Azure, Exchange, and Intune source code
Microsoft’s security team said today it has formally completed its investigation into its SolarWinds-related breach and found no evidence that hackers abused its internal systems or official products to pivot and attack end-users and business customers.
The OS maker began investigating the breach in mid-December after it was discovered that Russian-linked hackers breached software vendor SolarWinds and inserted malware inside the Orion IT monitoring platform, a product that Microsoft had also deployed internally.
In a blog post published on December 31, Microsoft said it discovered that hackers used the access they gained through the SolarWinds Orion app to pivot to Microsoft’s internal network, where they accessed the source code of several internal projects.
“Our analysis shows the first viewing of a file in a source repository was in late November and ended when we secured the affected accounts,” the company said today, in its final report into the SolarWinds-related breach.
Microsoft said that after cutting off the intruder’s access, the hackers continued to try to access Microsoft accounts throughout December and even up until early January 2021, weeks after the SolarWinds breach was disclosed, and even after Microsoft made it clear they were investigating the incident.
“There was no case where all repositories related to any single product or service was accessed,” the company’s security team said today. “There was no access to the vast majority of source code.”
Instead, the OS maker said intruders viewed “only a few individual files […] as a result of a repository search.”
Microsoft said that based on the search queries attacker performed inside their code repositories, the intruders appeared to have been focused on locating secrets (aka access token) that they could be used to expand their access to other Microsoft systems.
The Redmond company said these searches failed because of internal coding practices that prohibited developers from storing secrets inside source code.
Some source code was also downloaded
But beyond viewing files, the hackers also managed to download some code. However, Microsoft said the data was not extensive and that the intruders only downloaded the source code of a few components related to some of its cloud-based products.
Per Microsoft, these repositories contained code for:
- a small subset of Azure components (subsets of service, security, identity)
- a small subset of Intune components
- a small subset of Exchange components
All in all, the incident doesn’t appear to have damaged Microsoft’s products or have led to hackers gaining extensive access to user data.