The masterminds behind the SolarWinds incidents at Microsoft have penetrated much further into the company network than previously known. The US software company announced on New Year’s Eve that it had determined based on new investigations that the hackers had penetrated as far as the intangible crown jewels in the form of program code. The damage is limited, however.
Initially, Microsoft only stated that it had discovered compromised programs from the US service provider SolarWinds in its own network environment. These have been “isolated and removed”. In the more detailed, not yet completed check, however, “unusual activities” in a “small number of internal accounts” by employees have now been tracked down. The attackers used an account to view “source code in a number” of relevant directories.
The account was not linked to an authorization to “change code or technical systems”, writes the IT security team from Redmond. The analysis also confirmed that nothing had been converted. The accounts taken over by the hackers have also been “cleaned up”. Microsoft did not go into detail about whether the attackers could see the source code of Windows or MS Office 365.
“At Microsoft we are pursuing an ‘Inner Source’ approach,” said Microsoft’s security experts. The programmers followed in-house best practices in software development with an “open source-like culture”. The source code is therefore visible to authorized persons within the company. That means “that we do not rely on the secrecy of the source code for the security of products”.
The team emphasizes that the threat models were based on the assumption that attackers could gain knowledge of the source code. An inspection of the program modules is therefore not associated with an increased risk. As recently as 2017, Microsoft underlined that it had not provided the government in Beijing with any source code for testing purposes as part of the work on a Windows 10 special version for China in order to protect its intangible crown jewels.
Neither “the security of our services nor any customer data” were in danger, is the announcement from Redmond. There is also still no evidence that the software giant’s systems and programs have been misused for attacks on third parties. Transparency and the sharing of experiences are important in such an event: “We are fighting what we believe to be a very highly developed national actor.” Several US ministers had previously pointed to Russia, while still-President Trump suspected China behind the massive attack.
Broad attack on companies and authorities
The malware Sunburst used by the attackers had been smuggled into the systems of up to 18,000 customers of the service provider, including Microsoft, via infected updates for the Orion network management platform from SolarWinds at least since the spring. These included several US departments and agencies. The malware installed a back door there, thus initiating the remote takeover of infected systems. The same as yet unidentified group that had previously successfully attacked the IT security company FireEye is said to be behind the attacks.
Last week, FireEye competitor CrowdStrike announced that it had also been targeted by the attackers – but without success. The hackers are said to have used Microsoft resellers to gain access to CrowdStrike’s systems. The US Department of Homeland Security has confirmed that SolarWinds was just one of several ways the attackers used to attack government institutions and, in particular, technology and cybersecurity companies.
Suspected state hackers had succeeded in compromising SolarWind’s Orion platform and smuggled a Trojan into official updates. SolarWinds sells network and security products used by more than 300,000 customers worldwide. These include many Fortune 500 companies, government agencies such as the US military, the Pentagon, and the State Department.