Software blueprints acquired but not altered
The SolarWinds hackers accessed portions of Microsoft’s source code, the software giant admitted last week.
The latest results of an ongoing investigation by Microsoft revealed that the sophisticated attackers behind the SolarWinds cyber-espionage operation were able to use compromised accounts to access the blueprints of Microsoft’s software.
The recently detected supply chain attack affecting enterprise assets tools management firm SolarWinds has sent shock waves through the industry.
SolarWinds’ Orion software is used to manage servers at a diverse range of organizations including various arms of the US government, threat response firm FireEye, and Microsoft. Updates to the software were used to distribute malware.
The attacks – which may have begun as early as March but were only detected last month – have been linked to Russian state-sponsored cyber-espionage gang APT29 (AKA Cozy Bear).
We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories.
The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made.
These accounts were investigated and remediated.
Microsoft previously admitted that although it was affected by the industry wide SolarWinds attack, its investigations had found “no evidence of access to production services or customer data”.
Redmond is sticking to that line and says that it has “found no indications that our systems were used to attack others”, contrary to reports by Reuters.
The software giant previously said that it had detected malicious SolarWinds applications in its environment, which it isolated and removed.
Further investigations of the common tools, techniques, and procedures (TTPs) related to the abuse of forged Security Assertion Markup Language (SAML) tokens associated with the SolarWinds attacks.
Fanning the flames
Microsoft went on to say that because its security culture is mature, it put no reliance on “security by obscurity”. As a result, the possibility that attackers had access to its source code was said to pose no particular heightened threat.
“At Microsoft, we have an inner source approach – the use of open source software development best practices and an open source-like culture – to making source code viewable within Microsoft,” it said.
“This means we do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code. So viewing source code isn’t tied to elevation of risk.”
“As with many companies, we plan our security with an ‘assume breach’ philosophy and layer in defense-in-depth protections and controls to stop attackers sooner when they do gain access,” Microsoft added.
Independent security experts said that Microsoft’s engineering philosophy was evidence of the benefits of a defense-in-depth approach.
Jake Williams commented on Twitter: “They [Microsoft] have embraced an open source threat modeling approach – assume the code will become open and don’t tie security to secrecy. With some companies, you might hear that and call BS. Don’t do that here.”