Microsoft on Thursday said it concluded its probe into the SolarWinds hack, finding that the attackers stole some source code but confirmed there’s no evidence that they abused its internal systems to target other companies or gained access to production services or customer data.
The disclosure builds upon an earlier update on December 31, 2020, that uncovered a compromise of its own network to view source code related to its products and services.
“We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories,” the Windows maker had previously disclosed.
“The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated.”.
Now according to the company, besides viewing few individual files by searching through the repositories, some cases involved downloading component source code related to —
- a small subset of Azure components (subsets of service, security, identity)
- a small subset of Intune components
- a small subset of Exchange components
“The search terms used by the actor indicate the expected focus on attempting to find secrets,” the company said, adding a subsequent verification affirmed the fact that they did not contain any live, production credentials.
Calling the SolarWinds supply chain attack a “moment of reckoning,” Microsoft in January recommended organizations to adopt a “zero trust mentality” in order to achieve the least privileged access and minimize risks by enabling multi-factor authentication.
The company said the attacks have reinforced the need to embrace the Zero Trust mindset and protect privileged credentials.
It’s worth noting that the entire espionage campaign leveraged the trust associated with SolarWinds software to insert malicious code that was then distributed to as many as 18,000 of its customers.
“Zero Trust is a proactive mindset,” said Vasu Jakkal, corporate vice president for security, compliance, and identity at Microsoft. “When every employee at a company assumes attackers are going to land at some point, they model threats and implement mitigations to ensure that any potential exploit can’t expand.”
“The value of defense-in-depth is that security is built into key areas an actor might try to break, beginning at the code level and extending to all systems in an end-to-end way.”