Recently, Microsoft was hit along with various other major companies in an unprecedented cyberattack, most likely perpetrated by a hostile state actor. The attackers exploited vulnerabilities in SolarWinds software, which resulted in targets, primarily in the United States, having data compromised.
In a blog post on Microsoft's website, the company elaborated on its findings, noting that customer data was not compromised in the attack, and that access to Microsoft's systems were not used to further other attacks to secondary targets.
Our investigation into our own environment has found no evidence of access to production services or customer data. The investigation, which is ongoing, has also found no indications that our systems were used to attack others.
Microsoft also elaborated that unspecified source code repositories may have been viewed as a result of the attack. Microsoft also claims that its security model reduces the risk of vulnerabilities, noting that merely from viewing source code does not create "elevated risk," as the company operates internally using an "open source-like culture."
We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories. The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated.At Microsoft, we have an inner source approach – the use of open source software development best practices and an open source-like culture – to making source code viewable within Microsoft. This means we do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code. So viewing source code isn't tied to elevation of risk.
Whether the SolarWinds hack will be used to attack Microsoft's customers across Windows, Microsoft 365, or Azure remains to be seen. Despite Microsoft's claims, exposing any particular source code to a hostile agent may contribute to future exploits, particularly if the attacks are indeed emerging from a state-funded source.
