Although Microsoft maintains that none of its tools were leveraged by the threat group behind the SolarWinds Orion compromise, the company did disclose that the hackers viewed source code for a small subset of Azure, Intune and Exchange components.
In a Microsoft Security Response Center blog on the final update of the company’s internal investigation into the SolarWinds attack, the company reiterated that it found no evidence of access to production services or customer data, and no Microsoft systems were used to further the attack.
Microsoft has emerged as a leading voice in the tech industry’s response to the attack that has impacted some 18,000 networks and several sensitive U.S. government departments. Earlier this month, Microsoft President Brad Smith called the attack the “largest and most sophisticated” ever.
Smith, alongside several other technology and cybersecurity executives, are scheduled to testify on the attacks at a U.S. Senate Intelligence Committee hearing this week.
Microsoft also said the hackers – allegedly backed by the Russian government – were not able to access privileged credentials or leverage the SAML techniques against the company’s corporate domains.
However, the company was forced to take action to secure it systems after detecting “unusual activity” in December that included viewing of a file in a source repository in late November. Additional attempts – although unsuccessful – continued until early January.
“There was no case where all repositories related to any single product or service was accessed,” the blog said. “There was no access to the vast majority of source code. For nearly all of code repositories accessed, only a few individual files were viewed as a result of a repository search.”
However, there was additional access for a small number of repositories, and in some cases, component source code was downloaded.
According to Microsoft’s blog, the repositories contained code for a small subset of Azure, Intune and Exchange components.
The company said the hackers used search terms that indicated they were after Microsoft’s secrets, but a corporate policy prohibits secrets in code, and automated tools help verify compliance.
“Because of the detected activity, we immediately initiated a verification process for current and historical branches of the repositories,” Microsoft said in the blog. “We have confirmed that the repositories complied and did not contain any live, production credentials.”
The company also said the attacks have reinforced two key concepts: Zero Trust and protecting privileged credentials. Best practices were shared in a separate blog on the matter.