On 18 February, Microsoft posted that it has completed its investigation into one of the worst breaches in US history, the SolarWinds hack. Microsoft’s conclusion? The security team found no evidence that the hackers have managed to access internal systems or user data that might have compromised or be used to attack its customers.
The investigation began in December, right after the supposedly Kremlin-backed hackers used a software update to compromise no less than 9 federal agencies and about 100 other private companies.
“Our analysis shows the first viewing of a file in a source repository was in late November and ended when we secured the affected accounts,” the company wrote in its final report into the SolarWinds-related breach. “We continued to see unsuccessful attempts at access by the actor into early January 2021, when the attempts stopped. There was no case where all repositories related to any single product or service were accessed. There was no access to the vast majority of source code.” Instead, the Microsoft Security Response Center Team maker assured that the intruders only viewed “a few individual files […] as a result of a repository search.”
But although a case in which the hackers managed to access all repositories for a product or service does not apply here, a “small” number of repositories were indeed viewed and some of the source code was able to be downloaded by the hackers. The affected repositories contained source code for a small subset of Azure components, Intune components, and Exchange components. Fortunately, Microsoft’s products were not damaged and the hackers did not have extensive access to user data.
“Our development policy prohibits secrets in code and we run automated tools to verify compliance,” company officials wrote. “Because of the detected activity, we immediately initiated a verification process for current and historical branches of the repositories. We have confirmed that the repositories complied and did not contain any live, production credentials.”
Regardless, Microsoft was not the only victim of the cyberattack. Other organizations were also hit, with hackers accessing systems from NVIDIA, Malwarebytes, Intel, Mimecast, and important US government agencies such as the Department of Energy, Department of Justice, Department of Commerce, the Treasury, Homeland Security, and also the Nuclear Security Administration.