Microsoft Confirms Source Code Access in SolarWinds Attack
On Thursday, Microsoft disclosed that threat actors linked to the SolarWinds supply chain attack successfully accessed a limited number of internal accounts within the company. This unauthorized access allowed these sophisticated, nation-state actors to escalate their reach inside Microsoft’s internal network, although they were only able to view, not modify, the source code stored in the company’s repositories.
The investigation revealed that unusual activity was detected from a small subset of internal accounts, culminating in the discovery that one account was employed to examine source code across multiple repositories. Microsoft clarified that this account lacked the necessary permissions to alter any code or engineering systems, and it confirmed that no modifications were made during the breach. The affected accounts have since undergone thorough investigation and remediation.
This incident is part of an extensive espionage saga that emerged in December, following reports from cybersecurity firm FireEye detailing how attackers exploited a compromised SolarWinds update to infiltrate its systems and steal critical Red Team tools. Microsoft has acknowledged encountering malicious SolarWinds binaries within its environment but firmly stated that its systems were not used to target external entities and that no production services or customer data were compromised.
In the wake of this attack, several notable organizations—including Cisco, VMware, Intel, and NVIDIA—as well as various U.S. government agencies have identified remnants of the Sunburst malware, also referred to as Solorigate, within their networks. The malware was reportedly introduced via compromised Orion updates.
Microsoft is continuing its investigation into this matter but downplayed the severity of the situation, asserting that mere access to source code does not inherently elevate risk levels. They indicated that their protective measures effectively neutralized attempts to exploit the situation further.
On December 28, in a separate analysis, Microsoft characterized the attack as a “cross-domain compromise.” This classification highlights the adversary’s ability to inject malicious code into signed SolarWinds Orion Platform binaries, effectively using this backdoor to operate unnoticed while accessing sensitive cloud resources and exfiltrating confidential data. Importantly, the Cybersecurity and Infrastructure Security Agency (CISA) noted that SolarWinds was not the sole vector of infection; alternative methods have yet to be publicly identified.
In light of these developments, CISA has issued supplementary guidance urging all federal agencies utilizing SolarWinds Orion software to upgrade to the latest 2020.2.1 HF2 version, which has been verified by the National Security Agency (NSA) as having removed the previously identified malicious code.
For organizations looking to understand this incident through the lens of cybersecurity frameworks, it is important to note that tactics such as initial access, privilege escalation, and persistence may have been employed by the adversaries. Engaging with these tactics can provide deeper insights into the methods used and inform future cybersecurity strategies.
Microsoft’s revelations underscore the ongoing challenges posed by advanced persistent threats and highlight the necessity for comprehensive security measures. As cyber threats evolve, awareness and proactive engagement remain paramount for businesses seeking to safeguard their networks against similar vulnerabilities.
