The group behind the suspected Russian attack into U.S. government agencies and private companies was able to hack into Microsoft’s internal systems and access some of the company’s source code, the tech giant said in a blog post on Thursday.
Microsoft had previously said it was among thousands of companies that discovered malware on its systems after downloading a routine software update from the IT company SolarWinds containing a possible “backdoor” for hackers to gain access to sensitive company data.
But the admission Thursday is the first time Microsoft acknowledged the attackers did more than place a tainted software update on its system: hackers successfully broke into the company’s systems and viewed source code, the carefully guarded DNA of the company’s software products.
Microsoft said after first believing it had blocked the intrusion, some “unusual activity” on a “small number” of employee accounts tripped an alarm. When the company homed in, a startling finding appeared: company source code “in a number of source code repositories” had been accessed by hackers.
Microsoft said the company’s source code was not altered by the attackers.
“The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated,” the company said.
Dmitri Alperovitch, a cybersecurity expert and chairman of Silverado Policy Accelerator, a Washington-based think tank, said while the breach appears to be a “serious issue” and can potentially make it easier for attackers to uncover additional system flaws at Microsoft, the company’s worst fears were not realized.
“This attack was not as bad as it could have been for Microsoft,” Alperovitch said. “If they had modified the source code, or used it to introduce new backdoors, since Microsoft has billions of users out there in pretty much every organization around the planet, that would’ve been a very severe, very grave concern,” he said. “But that doesn’t appear to be the case.”
Still, what the hackers can still do with whatever proprietary data was gathered from Microsoft should keep officials on edge, according to David Kennedy, who runs the Ohio-based company TrustedSec LLC, which investigated the hack.
“We trust the devices that we use. We trust our computers. We trust our phones that we’re using on a daily basis. And all of them have source code that runs on the devices,” he said. “My hope is that none of this was compromised in the process, but we just don’t know at this point.”
Many facts remain unknown about how the cyberattackers targeted Microsoft. The company did not say what products the viewed source code was tied to, or how long the hackers were able to stay within its systems.
“Is it Microsoft Cloud Services? Is it their Windows operating system? Is it Microsoft Office? That would be very helpful to know to understand what source code was accessed and what vulnerabilities may be in that source code now,” Alperovitch said.
Kennedy offered additional questions.
“Does this impact authentication mechanisms and how usernames and passwords are protected? Are they in the operating system side of the house or future projects? These are key things we need to understand to know how deep this goes,” Kennedy said. “The more access they had, the greater potential damage there is in the future.”
A Microsoft spokesman declined to comment beyond the company’s blog post, which noted that the hackers did not compromise customers’ personal data, nor did the intruders harness the information it read to attack others.
Microsoft downplayed the significance of the attackers reading its source code, saying, unlike other tech companies, its employees have an “open source-like culture” to viewing source code within the firm. “So viewing source code isn’t tied to elevation of risk,” the company said.
That may be true, security expert Kennedy said, but having a group of malicious hackers reading a company’s source code at the direction of a foreign government is a completely different matter.
“Those are typically trusted employees within an organization that have access to source code and aren’t looking at it from an adversary’s perspective,” he said. “This can be used later on to launch additional attacks.”
Investigators are still probing the far-reaching attack, which has been traced back to October and compromised 18,000 private and government users who inadvertently downloaded a tainted software update from the Texas firm SolarWinds.
U.S. agencies were compromised, including the departments of State, Treasury, Commerce, Energy and Homeland Security.
Officials do not believe the intrusion penetrated any classified information, yet investigators remain concerned that other sensitive data could have been stolen.
But, as expert Alperovitch noted, what exactly the suspected Russian hackers got away with is still a mystery.
“This is just one more shoe to drop,” he said. “There will be many more in the coming months. We’ll learn about more victims, more data that was taken. So we’re just in the very early innings of this investigation.”