WASHINGTON (Reuters) – Microsoft said on Thursday that the hacking group behind the SolarWinds settlement managed to break into Microsoft and gain access to some of its source code, something experts said sent a worrying signal about the spies’ ambition.
Source code – the basic set of instructions that occupy part of a program or operating system – is usually among the tech company’s most protected secrets, and Microsoft has throughout history been especially keen to protect it.
It’s not clear how much or what parts of Microsoft’s source code repositories hackers have accessed, but the disclosure suggests that hackers who used the software company SolarWinds as a springboard to break into sensitive U.S. government networks also had an interest in discovering the inner workings of Microsoft’s products as well.
Microsoft has already revealed that it, like other companies, has found malicious versions of SolarWinds within its network, but the source code disclosure – which was made in a blog post – is new. After Reuters reported that it was hacked two weeks ago, Microsoft said it had “found no evidence of accessing production services.”
Three people familiar with the matter said Microsoft had known for days that the source code had been accessed. A Microsoft spokesperson said that security personnel were working “around the clock” and that “when there is actionable information to share, they publish and share it.”
The SolarWinds hack is among the most ambitious cyber operations ever disclosed, to the detriment of at least six federal agencies and possibly thousands of other companies and organizations. Investigators in the United States and the private sector have spent the holidays combing records to try to understand if their data has been stolen or modified.
Modifying the source code – which Microsoft said hackers did not do – could have potentially dire consequences given the ubiquitous ubiquity of Microsoft’s products, which include the Office productivity suite and the Windows operating system. But experts said that even just being able to review the code could provide hackers with insight that could help them sabotage Microsoft’s products or services.
“The source code is the architectural blueprint for how the program is built,” said Andrew Five of Cycode, an Israel-based source code protection company.
“If you have the blueprint, it is much easier to engineer the attacks.”
Matt Tait, an independent researcher in the field of cybersecurity, agreed that the source code could be used as a roadmap to help hack Microsoft products, but he also cautioned that elements of the company’s source code have already been shared widely – for example with foreign governments. He said he suspects Microsoft made the common mistake of leaving encryption keys or passwords in the code.
“It’s not going to affect the security of their clients, at least not significantly,” Tate said.
Microsoft noted that it allows extensive in-house access to its code, and past employees agree it is more open than other companies.
Microsoft said in its blog post that it had found no evidence of accessing “production services or customer data.”
She added, “The ongoing investigation did not find any indications that our systems were used to attack others.”
Reuters reported a week ago that Microsoft authorized resellers had been compromised and that their access to In-Target productivity software was being leveraged in attempts to read email. Microsoft has acknowledged abuse of some vendors’ access, but has not stated how many vendors or customers may have been compromised.
There was no response to requests for comment from the FBI, which is investigating the hacking campaign, or from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.
US officials attributed the SolarWinds hacking campaign to Russia, a claim the Kremlin denies.
Tait and Ronen Slavin, Cycode’s chief technology officer, said the main unanswered question was what repositories of source code were accessed. Microsoft has a wide range of products, from widely used Windows to lesser-known software such as the Yammer social networking app and Sway design app.
Slavin said he was concerned about the possibility of SolarWinds hackers searching Microsoft’s source code as a prelude to a more ambitious attack.
He said, “The biggest question for me is, ‘Was this a replay of the next big operation? “
Additional reporting by Raphael Sater and Joseph Main. Editing by Chris Rees, Diane Kraft and Daniel Wallis