© Reuters. A Microsoft logo can be seen in Los Angeles
By Raphael Satter and Joseph Menn
WASHINGTON (Reuters) – The hacking group behind the SolarWinds Compromise broke in Microsoft Corp. (NASDAQ 🙂 and access to some of the source code, Microsoft said Thursday, something that experts said sent a worrying signal about the ambitions of the spies.
Source code – the underlying set of instructions that run software or an operating system – is usually one of the best-kept secrets of any technology company, and Microsoft has taken great care to protect it in the past.
It is not clear how much or what parts of Microsoft's source code repositories the hackers were able to access, but the disclosure suggests that the hackers who used software company SolarWinds as a stepping stone to break into sensitive US government networks also had an interest in discovering the inner workings of Microsoft products.
Microsoft previously announced that, like other companies, it had found malicious versions of SolarWinds software on its network, but the source code disclosure in a blog post is new. After Reuters reported a violation two weeks ago, Microsoft said it had "found no evidence of access to production services."
Three people who were briefed on the matter said Microsoft had known for days that the source code was being accessed. A Microsoft spokesman said security guards worked "around the clock" and "when there is actionable information to share, they have published and shared it."
The SolarWinds hack is among the most ambitious cyber operations ever publicized, putting at least half a dozen federal agencies and potentially thousands of companies and other institutions at risk. Investigators from the U.S. and the private sector spent the holidays sifting through logs to understand if their data was stolen or altered.
Changing the source code – which Microsoft said the hackers did not – could have potentially catastrophic results given the ubiquity of Microsoft products, which include the Office productivity suite and the Windows operating system. However, experts said that even the ability to review the code could provide hackers with insights that could help them undermine Microsoft products or services.
"The source code is the architectural blueprint for creating the software," said Andrew Fife of Cycode, a source code protection company based in Israel.
"When you have the blueprint, it's a lot easier to construct attacks."
Matt Tait, an independent cybersecurity researcher, agreed that the source code could be used as a roadmap for hacking Microsoft products, but also warned that elements of the company's source code were already widely used – with foreign governments, for example. He doubted that Microsoft made the common mistake of leaving cryptographic keys or passwords in code.
"It won't affect the safety of their customers, at least not significantly," Tait said.
Microsoft found that it allowed broad internal access to its code, and former employees agreed that it was more open than other companies.
In its blog post, Microsoft said it had found no evidence of access to "production services or customer data".
"The ongoing investigation has also revealed no evidence that our systems were used to attack others," it said.
Reuters reported a week ago that Microsoft authorized resellers were hacked and their access to productivity programs within targets was used while attempting to read email. Microsoft admitted that some vendors' access was abused, but has not disclosed how many resellers or customers may have been injured.
There was no response to requests from the FBI investigating the hacking campaign or the Department of Homeland Security's Cybsersecurity and Infrastructure Security Agency.
US officials have attributed SolarWinds' hacking campaign to Russia, a claim the Kremlin denies.
Both Tait and Ronen Slavin, Cycode's chief technology officer, said an important unanswered question was which source code repositories were being accessed. Microsoft offers a wide variety of products, from widely used Windows to lesser-known software like the social networking app Yammer and the design app Sway.
Slavin said he was concerned about the possibility that the SolarWinds hackers were rummaging over Microsoft's source code as a prelude to a much more ambitious offensive.
“For me the biggest question is, 'Was this clearing up for the next major operation?'” He said.