WASHINGTON (Reuters) – The hacking group behind the SolarWinds compromise was able to break into Microsoft Corp and access some of the source code, Microsoft said Thursday, something experts said sent a troubling signal about the ambition of the spies.
The source code – the underlying set of instructions that execute a piece of software or an operating system – is usually one of the best-kept secrets of a technology company, and Microsoft has been particularly careful in protecting it in the past.
It’s not clear how many or what parts of Microsoft’s source code repositories the hackers had access to, but the disclosure suggests that the hackers who used software company SolarWinds as a springboard to break into sensitive U.S. government networks also had an interest in discovering of the inner workings of Microsoft products.
Microsoft had already disclosed that, like other companies, it had found malicious versions of SolarWinds software on its network, but the disclosure of the source code – made in a blog post – is new. After Reuters reported that it had been breached two weeks ago, Microsoft said it had “found no evidence of access to manufacturing services.”
Three people briefed on the matter said Microsoft had known for days that the source code had been accessed. A Microsoft spokesman said security officers have been working “around the clock” and that “when there is actionable information to share, they have published and shared it.”
The SolarWinds hack is one of the most ambitious cyber operations ever disclosed, putting at least half a dozen federal agencies and potentially thousands of businesses and other institutions at risk. Investigators from the US and private sector have been combing logs throughout the vacation trying to find out if their data was stolen or altered.
Modifying the source code – which Microsoft said the hackers didn’t – could have potentially disastrous consequences given the ubiquity of Microsoft products, including the Office productivity suite and the Windows operating system. But experts said even just being able to assess the code could provide hackers with insight that could help them undermine Microsoft products or services.
“The source code is the architectural blueprint of how the software is built,” said Andrew Fife of Israel-based Cycode, a source code protection company.
“When you have the blueprint, it is much easier to make attacks.”
Matt Tait, an independent cybersecurity researcher, agreed that the source code could be used as a roadmap to help hack Microsoft products, but he also warned that elements of the company’s source code were already widely shared – for example with foreign governments. He said he doubted Microsoft had made the common mistake of leaving cryptographic keys or passwords in the code.
“It won’t affect the safety of their customers, at least not materially,” said Tait.
Microsoft noted that it allows wide internal access to its code, and former employees agreed that it is more open than other companies.
In its blog post, Microsoft said it had found no evidence of access to “production services or customer data.”
“The investigation, which is underway, also found no evidence that our systems were being used to attack others,” he said.
Reuters reported a week ago that Microsoft-authorized resellers were being hacked and that their access to productivity programs within targets was being exploited in attempts to read email. Microsoft acknowledged that certain vendor access has been abused, but has not said how many resellers or customers may have been breached.
There was no response to requests for comment from the FBI, which is investigating the hacking campaign, or from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.
US officials have attributed SolarWinds’ hacking campaign to Russia, an accusation that the Kremlin denies.
Both Tait and Ronen Slavin, Cycode’s chief technology officer, said a major unanswered question was which source code repositories were there. Microsoft has a huge range of products, from commonly used Windows to lesser-known software such as the social networking app Yammer and the design app Sway.
Slavin said he was concerned about the possibility that the SolarWinds hackers might be looking at Microsoft’s source code as a prelude to a much more ambitious offensive.
“For me, the biggest question is, ‘Was this reconnaissance for the next major operation?’” He said.
Reporting by Raphael Satter and Joseph Menn; Edited by Chris Reese, Diane Craft and Daniel Wallis