As the organizations hit by the SolarWinds attackers have continued to assess the damage to their internal systems, some interesting details have emerged. At the top of that list is the fact that the attackers were able to access some of Microsoft’s source code repositories.
MIcrosoft was one of the first few companies to disclose publicly that it had been a victim of the group that compromised SolarWinds several months ago. The attack on SolarWinds led to the compromise of an update for the company’s Orion IT monitoring platform, which thousands of customers then downloaded and installed in their environments. When the breach was disclosed late last month by FireEye, Microsoft officials said the company was affected and that the attackers had accessed some of the company’s internal systems. Although SolarWinds officials said somewhere around 18,000 customers had downloaded the malicious update, the number of organizations that the attackers exploited afterward is likely a tiny fraction of that number. Some of the known victims include federal government agencies, tech companies, and financial services firms.
But none of those organizations has been as forthcoming about the details of what happened as Microsoft and FireEye. Microsoft said initially that it had discovered the trojaned SolarWinds updates in its network and later expanded on that, saying that the attackers did not have access to customer data or production systems. The company also said that it has not found any evidence that the attackers were able to forge SAML tokens for internal domains, a technique that the attackers used in other victim organizations. But Microsoft officials said Friday that the SolarWinds attackers accessed some of the company’s source code.
“Having investigated further, we can now report that we have not found evidence of the common TTPs (tools, techniques and procedures) related to the abuse of forged SAML tokens against our corporate domains,” the Microsoft Security Response Center said.
“Our investigation has, however, revealed attempted activities beyond just the presence of malicious SolarWinds code in our environment. This activity has not put at risk the security of our services or any customer data, but we want to be transparent and share what we’re learning as we combat what we believe is a very sophisticated nation-state actor. We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories.”
Although the adversaries had access to some unnamed source code repositories, the account that they used to view them did not have the ability to make any changes to the source code, and the MSRC found that no changes had been made to the code. The MSRC said that it had also found evidence of other attempted movements by the attackers inside the corporate network, but those activities were stopped by Microsoft’s defense.
“At Microsoft, we have an inner source approach – the use of open source software development best practices and an open source-like culture – to making source code viewable within Microsoft. This means we do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code. So viewing source code isn’t tied to elevation of risk,” the MSRC said.