Microsoft has confirmed that the attackers behind the SolarWinds cyberattack successfully accessed company source code after compromising specific accounts with direct access.
Microsoft doesn’t believe the source code access will create any vulnerabilities in its extensive range of apps or Windows 10 itself, but disclosed the extent of the incident in a blog post.
SolarWinds Attackers Access Microsoft Source Code
The blog post on the Microsoft Security Response Center is another update from Microsoft on the SolarWinds cyberattack (which Microsoft refers to as “Solorigate”).
Our investigation into our own environment has found no evidence of access to production services or customer data. The investigation, which is ongoing, has also found no indications that our systems were used to attack others.
However, the blog continues to explain that a small number of internal Microsoft accounts were compromised during the extensive cyberattack. One of those accounts was used to “view source code in a number of source code repositories,” of which there are many thousands.
As the Microsoft account used to access the source code did not have permission to modify code, Microsoft is confident that no changes were made.
Accessing Microsoft source code sounds like a serious issue. However, Microsoft plan “security with an ‘assume breach’ philosophy,” meaning the company works on the basis that attackers already have access to source code.
Furthermore, Microsoft takes an open-source approach to source code within the organization. Instead of hiding the source code away, the source code is viewable within Microsoft. Thus, all security is built from the ground up rather than relying “on the secrecy of source code for the security of products.”
As source code for various Microsoft products has leaked online in recent years, this approach is more important than ever.
Are Other Tech Companies Affected by SolarWinds?
You’ve probably noticed one tech company talking about the SolarWinds cyberattack more than most. Microsoft is leading the way with transparency regarding the attack and its effect on the company and its products.
But that doesn’t mean Microsoft was the only tech company to fall foul of the cyberattack. We know that Cisco, Intel, Nvidia, Belkin, and VMware found the malware at the route of the attack on their internal networks.
Cybersecurity firm CrowdStrike also confirmed that the attackers had attempted to breach their network but failed, while FireEye said a “highly-sophisticated threat actor” had stolen several of its offensive hacking tools.
The biggest difference between Microsoft and the other tech firms (CrowdStrike and FireEye notwithstanding) is information disclosure. With up to 18,000 SolarWinds Orion customers potentially affected, the number of victims could still rise considerably.