The hacking group behind the SolarWinds compromise was able to break into Microsoft Corp. and access some of its source code, Microsoft said Thursday.
In a blog post, Microsoft said its investigation into the SolarWinds breach had turned up irregularities with a “small number of internal accounts” and that one of the accounts “had been used to view source code in a number of source code repositories.” It added that the account had no ability to modify the code.
The disclosure adds to the growing picture of the compromises associated with the SolarWinds hack, which used the Texas-based company’s flagship network monitoring software as a springboard to break into sensitive U.S. government networks and other tech companies. Microsoft had disclosed that, like other firms, it found malicious versions of SolarWinds’ software inside its network, but the source code disclosure is new.
A company’s source code, the underlying set of instructions that run a piece of software or an operating system, is typically among its most closely guarded secrets. It is not clear how many or specifically which source code repositories the hackers were able to access or how long the hackers were lurking in Microsoft’s systems. A Microsoft spokesman declined to elaborate on the blog post.
Modifying source code, which Microsoft said the hijacked account could not do, could have potentially disastrous consequences, but experts said that even just being able to review the code could offer hackers insight that might help them subvert Microsoft products or services.
“The source code is the architectural blueprint of how the software is built,” said Andrew Fife of Israel-based Cycode, a source code protection company.
“If you have the blueprint, it’s far easier to engineer attacks.”
Both he and Ronen Slavin, Cycode’s chief technology officer, said a key unanswered question was which source code repositories were accessed. Microsoft has a huge range of products, from its flagship Windows operating system to lesser-known software such as social networking app Yammer and the design app Sway.
Slavin said he was also worried by the possibility that the SolarWinds hackers were poring over Microsoft’s source code as prelude for something more ambitious.
“To me the biggest question is, ‘Was this recon for the next big operation?’ ” he said.
In its blog post, Microsoft said it had found no evidence of access “to production services or customer data.”
“The investigation, which is ongoing, has also found no indications that our systems were used to attack others,” it said.