- Microsoft has found that the SolarWinds hackers accessed some of its source code repositories.
- The company confirms that the actors made no changes and says there’s no additional risk for security.
- The event is still grave even for a company that follows “inner source” software development methods.
Microsoft has previously admitted that they were using the SolarWinds Orion, the software that was used by state-supported hackers to launch one of the most successful supply chain attacks in recent history. However, they denied the possibility of the hackers achieving to send anything downstream to its clients. The internal investigation that is still ongoing has now revealed that the hackers managed to access several source code repositories at the firm, but as the tech company reassures, this is nothing to worry about as it’s not linked to an elevation of risk.
Microsoft says the attacker couldn’t modify anything on the source code they accessed, as the account that was used by them didn’t have such permissions. That said, no danger arises from this event, and a subsequent investigation with absolute certainty confirmed the fact that no changes were made. Moreover, Microsoft says they are following an “inner source” approach anyway, which decouples security and code secrecy and lets all developers in the firm openly access everything. This is the same way IBM, HP, Philips, Google, Nokia, Siemens, PayPal, and many others work.
Finally, Microsoft’s internal investigation has yielded no evidence of access to production services or customer data, and no indications that the firm’s systems were abused to attack or infect others. All of the identified malicious applications and forged SAML tokens in Microsoft’s environment have been isolated and removed now, and the firm sees no indications of compromise anymore. Similarly, all of the malicious user accounts have been deleted. Of course, the investigation is still ongoing, but Microsoft feels that its layered protection security approach has helped a great deal this time.
As much as Microsoft prefers to downplay the importance of source code access, this is a negative development for anyone that sells proprietary solutions. Sure, the more grave situations appear to have been averted, which is of course very important, but having closed-source code leaks isn’t helping Microsoft keep its edge on the market.
Also, Microsoft has had several alleged or even dubious source code repository access incidents this year, but we do not believe that these are in any way related to the SolarWinds hack. In fact, we are sure that the SolarWinds hackers would avoid making anything that would give an indication about their activities public, as their goal was to remain stealthy and continue their espionage for as long as possible.