WASHINGTON (Reuters) – The hacking group behind the SolarWinds compromise has managed to break into Microsoft Corp and access some of its source code, Microsoft said on Thursday, which experts said sent a worrying signal about ambition spies.
The source code – the set of instructions that runs a piece of software or an operating system – is usually among the best kept secrets of a technology company, and Microsoft has historically been particularly careful with on its protection.
It is unclear how much or what parts of Microsoft’s source code repositories were able to access, but the disclosure suggests that hackers who used the software company SolarWinds as a springboard to penetrate sensitive U.S. government networks also had an interest in discovering the inner workings of Microsoft products.
Microsoft has already revealed that, like other companies, it has found malicious versions of SolarWinds software on its network, but the disclosure of the source code – made in a blog post – is new. After Reuters reported that it was violated two weeks ago, Microsoft said it had “found no evidence of access to production services.”
Three people informed about this issue said that Microsoft had known for days that the source code had been accessed. A Microsoft spokesman said security employees work “non-stop” and that “when there is information that can be shared, they have published and distributed it.”
The SolarWinds hack is one of the most ambitious cyber operations ever unveiled, compromising at least half a dozen federal agencies and potentially thousands of companies and other institutions. U.S. and private sector investigators spent the holidays combing logs to try to understand if their data had been stolen or altered.
Changing the source code – which Microsoft said hackers did not do – could have potentially disastrous consequences, given the ubiquity of Microsoft products, which include the Office productivity suite and the Windows operating system. But experts say that even the ability to revise the code could give hackers a perspective that could help them subvert Microsoft products or services.
“Source code is the architectural scheme of how software is built,” said Andrew Fife of Cycode, an Israeli source code protection company.
“If you have the plan, it’s much easier to create attacks.”
Matt Tait, an independent cybersecurity researcher, agreed that the source code could be used as a roadmap to help hack Microsoft products, but also warned that elements of the company’s source code were already in place. widely shared – for example with foreign governments. He said he doubted Microsoft had made the usual mistake of leaving cryptographic keys or passwords in code.
“It won’t affect the security of their customers, at least not substantially,” Tait said.
Microsoft mentioned that it allows wide internal access to its code, and former employees agreed that it is more open than other companies.
In a blog post, Microsoft said it found no evidence of access to “production services or customer data.”
“The investigation, which is ongoing, found no evidence that our systems were used to attack others,” he said.
Reuters reported a week ago that Microsoft-authorized resellers have been hacked and that their access to targeted productivity programs has been exploited in attempts to read emails. Microsoft acknowledged that access to a particular vendor had been misused, but did not say how many resellers or customers could have been infringed.
There was no response to requests for comment from the FBI, which is investigating the hacking campaign, or from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.
US officials have blamed the SolarWinds piracy campaign on Russia, a charge the Kremlin denies.
Both Tait and Ronen Slavin, Cycode’s chief technology officer, said an unanswered key question was what source code repositories were accessed. Microsoft has a wide range of products, from widely used Windows to lesser-known software, such as the Yammer social networking application and the Sway design application.
Slavin said he was concerned that SolarWinds hackers might look at Microsoft’s source code as a prelude to a more ambitious offensive.
“For me, the biggest question is, ‘Was this gratitude for the next big operation?’ “, He said.
Reporting by Raphael Satter and Joseph Menn; Editing by Chris Reese, Diane Craft and Daniel Wallis