On New Year’s Eve, when everyone’s attention was somewhere else, Microsoft casually announced that its source code had been breached. This was followed by a ‘nothing-to-see-here’ discussion of the incident. So, I suppose we should just continue living as if the SolarWinds attackers’ penetration to the core of the Microsoft Corporation is a minor cyber incident.
However, if this is true, then why try so hard to downplay the event? In fact, the post seems to think this breach was really a good thing. As the MSRC Team asserts, “we believe the Solorigate incident is an opportunity to work together in important ways, to share information, strengthen defenses and respond to attacks.” Great! Then we can only hope to get more nation-state attacks on our government and major corporations, right? Apparently, the only reason Microsoft released this information at all was because they want to show how they are working together with others. We “want to share an update from our ongoing internal investigation.”
The team then goes on to elaborate. “Our investigation into our own environment has found no evidence of access to production services or customer data. The investigation, which is ongoing, has also found no indications that our systems were used to attack others.” (emphasis theirs). That’s nice. I suppose they also found no evidence of Sasquatch. In fact, you have to get to paragraph four before the team reveals what it did find.
“Our investigation has, however, revealed attempted activities beyond just the presence of malicious SolarWinds code in our environment.” But, just as we are about to learn what happened, we are, once again, given a lecture on how important it is to share with others. “We want to be transparent and share what we’re learning as we combat what we believe is a very sophisticated nation-state actor.” Okay, we get it. So, what happened?
“We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories.” Wait, what? Okay, so the attackers saw the source code for a number of Microsoft products, but exactly which products’ source code did they see? Sadly, the team lost its spirit of sharing when it came to this information. We only know that the accounts that were hacked did not have the right to alter the source code. But could the attackers exfiltrate the information? Could they copy it? Could they make a screenshot? In any event, they saw the code for some Microsoft product for, apparently, as long as they needed to see it. If this was seen by experienced hackers working for a nation-state, they could have been able to see if any vulnerabilities were present and organize an attack exploiting these. The fact that Microsoft is silent on which code was viewed leads me to wonder if it wasn’t the code for some important product. True, Microsoft claims to use an ‘inner source’ approach to a lot of their code which they call an “open source-like culture”, wherein the code is shared among certain Microsoft employees and customers, but there are, apparently, good reasons for not making the code completely open sourced.
Many in the cybersecurity sector worry that the hacker may follow the same M.O. that they used in the SolarWinds attack, which was altering the code in an update to deliver malware. Since Microsoft sends out frequent updates for its products, it is not wild speculation to worry about a large number of potential victims.
Back in September, the source code for a number of Microsoft products appeared online. It was not authorized by Microsoft. Here are the products for which the source code became available.
There was also a 69GB source code dump in May. And here are some leaks that appeared last month.
Whether any of these dumps gave potential hackers a clearer view of Microsoft’s coding strategy and, by extension, a look at a vulnerability, is difficult to say.
There are numerous reasons to believe that this breach was far worse than what Microsoft is letting on. First of all, the release of this information on New Year’s Eve seems to be timed to avoid a media storm. This was a planned release of information they had known about for some time. They clearly hoped the story would get little attention. If, as they assert, there was nothing important about the breach, then why try to hide it?
Secondly, the post shows all the signs of trying to calm customers and investors. The breach of the source code is seriously underplayed, which only makes people more nervous. What’s worse is the announcement that the investigation is ongoing. This seems to indicate that the team is not really sure how serious the situation is themselves. We are also told more about what didn’t happen than what did happen. This is a distractor best demonstrated by the team’s assertion that “this activity has not put at risk the security of our services or any customer data, but we want to be transparent and share what we’re learning as we combat what we believe is a very sophisticated nation-state actor.” In other words, they still have not removed all of the malware from their network or don’t really know the full extent of the hack. Customer data has not been affected, at least so far. However, I would question whether they can claim that the security of their services can be guaranteed, especially since the investigation is ongoing.
It is normal for companies to downplay breaches to calm customers. Such announcements are often followed by incremental leaks which show that things were worse than the company initially reported. By the time we find out the full extent of this source code attack, it will have likely been exploited by the attackers. I assume Microsoft’s biggest customers have been warned to expect such attacks. If not, expect Microsoft to be hit with numerous lawsuits. But maybe this is good as it will enable them to continue sharing by sharing their profits with the victims.