Microsoft on Thursday said it concluded its probe into the SolarWinds hack and had found the hackers studied parts of the source code instructions for its Azure cloud programs related to identity and security, its Exchange email programs, and Intune management for mobile devices and applications.
It does seem that there was code downloaded, which could have allowed the hackers the ability to hunt for security vulnerabilities and create copies of the code with new flaws or examine the logic for ways to exploit customer installations. However, Microsoft confirmed there’s no evidence that they abused its internal systems to target other companies or gained access to production services or customer data.
The disclosure builds upon an earlier update on December 31, 2020, that uncovered a compromise of its own network to view source code related to its products and services.
“We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories,”
the Windows maker had previously disclosed.
“The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated.”.
Lessons Learned
The cybersecurity industry has long been aware that sophisticated and well-funded actors were theoretically capable of advanced techniques, patience, and operating below the radar, but this incident has proven that it isn’t just theoretical. For Microsoft, these attacks have reinforced two key learnings that they would like to emphasize —embracing a Zero Trust mindset and protecting privileged credentials.
A Zero Trust, “assume breach” philosophy is a critical part of defense. Zero Trust is a transition from implicit trust—assuming that everything inside a corporate network is safe—to the model that assumes breach and explicitly verifies the security status of identity, endpoint, network, and other resources based on all available signals and data. Microsoft has recently shared guidance for using Zero Trust principles to protect against sophisticated attacks like Solorigate.
Protecting credentials is essential. In deployments that connect on-premises infrastructure to the cloud, organizations can delegate trust to on-premises components. This creates an additional seam that organizations need to secure. A consequence of this decision is that if the on-premises environment is compromised, this creates opportunities for attackers to target cloud services. Microsoft strongly recommends mastering identity in the Cloud, as described in protecting your M365 cloud services from on-premise attacks.
SolarWinds hack and who is to blame for it
In 2020, a group believed to be associated with Russian intelligence services launched a massive cyberattack targeting thousands of organizations, including several U.S. government agencies and dozens of Fortune 500 companies.
The hack exploited a vulnerability in SolarWinds’ popular networking monitoring software, which is used by hundreds of thousands of entities and even by high-profile agencies like the NSA, The Department of Homeland Security, and the US Department of Energy. The malware disguised itself as a legitimate update from SolarWinds and, in turn, allowed hackers to snoop on network traffic while flying completely under the radar.
The hack was first discovered by security provider FireEye Inc, the hackers used advanced skills to insert software back doors for spying into widely used network-management programs distributed by Texas-based SolarWinds Corp.
