Microsoft source code breached in SolarWinds hack

Microsoft has joined the US government in disclosing it has fallen victim to an attack involving a compromise of SolarWinds’ Orion network monitoring platform, with the attackers able to gain access to Microsoft source code.

The company revealed that a likely compromised internal account had been used to view source code in a number of its source code repositories following the attack.

The account did not have permissions to modify any code or engineering systems, and while other accounts also displayed unusual activity, they have now been investigated and remediated.

Microsoft has also insisted that it takes an “inner source” approach to making source code viewable within Microsoft, so its threat models assume that attackers have knowledge of the company’s source code. This means viewing the code isn’t tied to elevation of risk, the company said.

While the investigation is ongoing, Microsoft also insisted it has found no evidence of access to production services or customer data, and no indication that its systems have been used to attack others.

But the SolarWinds Orion breach nevertheless represents clear signs of “the continuing rise in the determination and sophistication of nation-state attacks”, Microsoft President Brad Smith said in a statement.

“The attack unfortunately represents a broad and successful espionage-based assault on both the confidential information of the US Government and the tech tools used by firms to protect them,” he said.

“There are broader ramifications as well, which are even more disconcerting. First, while governments have spied on each other for centuries, the recent attackers used a technique that has put at risk the technology supply chain for the broader economy.”

Heatmap of where the compromised software is installed.

Australia could be vulnerable

Meanwhile, a heatmap published by Microsoft based on telemetry from Microsoft Defender, identifying customers who use Defender and who installed versions of SolarWinds’ Orion software containing the attackers’ malware, shows that there were multiple installs of the compromised software in Australia.

Smith said Microsoft has identified and notified more than 40 customers that the attackers targeted with more precise follow-up attacks. While none of these were from Australia, there have been victims in seven countries outside of the US to date — Canada, Mexico, Belgium, Spain, the UK, Israel and the UAE.

Smith added that it is “certain” that the number and location of victims will keep going, suggesting that Australian government or private sector users of the SolarWinds software could still be vulnerable.

Image credit: ©stock.adobe.com/au/ArtemSam