Details of the SolarWinds hack been unfolding for a few weeks now, and more recently, Microsoft has announced that the hackers have viewed the company’s internal source code.
The company previously disclosed that it has found malicious SolarWinds applications in its environment that were isolated and removed, and there is no evidence to date that any of Microsoft’s own tools were used by the attackers, who are believed to be backed by the Russian government.
However, in a new blog post from the Microsoft Security Response Center, the company said it has found evidence of attempted activities beyond just the presence of the malicious code from the SolarWinds Orion platform, a popular IT management software used by hundreds of thousands of organizations. Victims include some of the most important U.S. federal agencies, government organizations and other tech companies.
“We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories,” the company’s blog said. “The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated.”
According to Microsoft, this doesn’t put the security or services or customer data at risk, and the company was only disclosing this in the interest of transparency.
Previously, media reports suggested that some of Microsoft’s own tools has been used by the hackers, but Microsoft quickly threw cold water on that assertion. Given Microsoft’s dominance in the IT space, such a compromise could be devastating to many more organizations.
However, cybersecurity firm CrowdStrike has said that Microsoft resellers may have been compromised as part of the attack.
Cybersecurity experts fear the attack is much worse than we know so far
Regardless, cybersecurity experts are still uncovering details of the attack, and what they’re finding is deeply concerning.
According to a recent New York Times article, as many as 250 federal agencies and businesses are believed to be affected.
Eight weeks later, General Nakasone and other American officials responsible for cybersecurity are now consumed by what they missed for at least nine months: a hacking, now believed to have affected upward of 250 federal agencies and businesses, that Russia aimed not at the election system but at the rest of the United States government and many large American corporations.
Three weeks after the intrusion came to light, American officials are still trying to understand whether what the Russians pulled off was simply an espionage operation inside the systems of the American bureaucracy or something more sinister, inserting “backdoor” access into government agencies, major corporations, the electric grid and laboratories developing and transporting new generations of nuclear weapons.
At a minimum it has set off alarms about the vulnerability of government and private sector networks in the United States to attack and raised questions about how and why the nation’s cyberdefenses failed so spectacularly.
The Times reports that initial estimates of just a few dozen of the 18,000 SolarWinds Orion customers using the application in question were affected, but that number has grown quickly.
Other points in the Times report:
- A lengthy focus on election security could have played a role in how cybersecurity experts missed this attack.
- The attackers worked from a server in the U.S. and exploited laws that prohibit domestic surveillance
- Some of the SolarWinds software was engineered in Eastern Europe, and investigators are examining whether hackers were able to infiltrate then
With the long-feared supply chain compromise of this magnitude coming to light, you should make it a priority to vet the security of any vendor that has access to your networks.