Microsoft revealed that the hackers were able to access their source code repositories as a part of the ongoing investigation regarding the SolarWinds Cyber-attack. Microsoft also confirmed that this was by far the largest cyber-attack in the history of cyber-attacks which targeted several private organizations but the United States (US) government was the primary target of the attack. The cyber-security firm “FireEye” first revealed the SolarWinds cyber-attack back in December.
Microsoft’s official blog post stated that the investigation done by the internal security research team found that the hackers accessed their source code through an employee account. Microsoft, in their blog also mentioned that there were many more attempted activities other than just the presence of malicious SolarWinds code in their environment.
The internal team also detected unusual activity with a few internal accounts and after reviewing the activity, it was discovered that one particular account was used to view the source code among the various other source code repositories. And that account did not have the administrative access to access or modify the code.
According to Microsoft, no changes in the source code have been made and the account that accessed the source code is being investigated.
Microsoft did not confirm which source code was accessed but the fact that the hackers were able to get in this deep is quite worrying. Source code is a set of instructions that run a piece of software or Operating system and is generally an organization’s most closely guarded asset.
Microsoft believes that the attack was executed by a very sophisticated nation-state actor. Although there is no such evidence that Microsoft’s systems were used to attack other systems but the risk of security of services or customer data is Microsoft’s primary concern.
One of the main concerns regarding this cyber-attack is that it has been going on for so long that the full scale remains unknown. There is a probability that the attack may have started even before the last spring. According to Democratic Senor Mark Warner of Virginia, who serves as Vice-Chair of the Senate Intelligence Committee, the attack presumably started much earlier. He also stated that at this point, there are no proofs that the confidential government secrets were compromised by the attackers.
FirstEye, which discovered the attack, revealed that the SolarWinds Orion software which is used by various organizations including several US government agencies was exploited by the malware. The infected version of the digitally signed SolarWinds Orion plugin contained a backdoor that could communicate to various third party servers via HTTP. There were no activities performed by the plugin but after two weeks various events like transfer of tasks, file execution, rebooting the system, and disabling system services were performed by executing commands.
According to FireEye, the malware performs various checks to safeguard that there are no analysis tools present and with the help of this approach, the malware remained undetected by anti-virus, anti-malware, and forensic investigators for several months after entering into the SolarWinds Orion supply chain.