As Microsoft continues to investigate the massive SolarWinds attack, the company says it has discovered that its systems were infiltrated “beyond just the presence of malicious SolarWinds code.” In an update from its Security Response Center, Microsoft says that hackers were able to “view source code in a number of source code repositories,” but that the hacked account granting such access didn’t have permission to modify any code or systems.
While Microsoft points to “a very sophisticated nation-state actor” as the culprit, the US government and cybersecurity officials have implicated Russia as the architects of the overall SolarWinds attack. The attack exposed an extensive list of sensitive organizations, and today’s disclosure from Microsoft shows we’ll still be unraveling the attack’s implications for weeks and months to come.
Fortunately, Microsoft says that while hackers went deeper than previously known, it found “no evidence of access to production services or customer data,” and “no indications that our systems were used to attack others.” Additionally, the company says that it regularly assumes adversaries are able to view its source code, and does not rely on the secrecy of source code to keep its products secure. Microsoft did not disclose how much code was viewed or what the exposed code is used for.
Earlier this month, Microsoft President Brad Smith said the attack was a “moment of reckoning” and warned about its danger. “This is not ‘espionage as usual,’ Smith said. “In effect, this is not just an attack on specific targets, but on the trust and reliability of the world’s critical infrastructure in order to advance one nation’s intelligence agency.”