Microsoft says hackers viewed source code as part of SolarWinds attack

Microsoft on Thursday reported that its source code had been viewed, but not altered, by hackers involved in the massive cyber espionage incident that affected thousands of companies and much of the federal government. 

“We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories,” Microsoft’s Security Response Center wrote in a blog post on Thursday. “The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated.”

Microsoft made the announcement as part of its investigation into findings last week, first reported by The Washington Post, that Russian hackers responsible for one of the biggest cyber incidents in U.S. history had compromised Microsoft cloud customers as part of the attack on IT company SolarWinds. 

Microsoft emphasized Thursday that while its source code had been viewed, the ongoing investigation into the incident had found no evidence of Microsoft products being used by the hackers to attack others or that the hackers had accessed production services or consumer data. 

The company reiterated the conclusions of multiple federal agencies, officials and other top security groups that a “sophisticated nation-state actor” was behind the malicious activity, though it did not identify Russia by name. 

The announcement from Microsoft came weeks after Reuters first reported that the Treasury and Commerce departments had been compromised as part of an attack on SolarWinds software updates.

SolarWinds later confirmed the incident in a filing with the Securities and Exchange Commission, noting that it believed around 18,000 of its customers had been affected by the cyber espionage effort, which had been ongoing since at least March. 

SolarWinds counts much of the federal government and the majority of U.S. Fortune 500 companies as customers. While many questions are still unanswered about what was taken or what the goal was, agencies including the Department of Defense, the Department of Homeland Security and the Department of Energy were all reportedly hit by the hacking effort. 

Microsoft President Brad Smith wrote in a separate blog post published earlier this month that the company had notified 40 customers that were targeted “more precisely” by the attackers, with these groups including government agencies, think tanks, IT groups and government contractors. 

While 80 percent of these groups were located in the U.S., organizations in countries including Canada, Mexico, Spain, Belgium, the United Kingdom, Israel and the United Arab Emirates were also hit, according to Smith. 

“This is not ‘espionage as usual,’ even in the digital age,” Smith wrote. “Instead, it represents an act of recklessness that created a serious technological vulnerability for the United States and the world.” 

“In effect, this is not just an attack on specific targets, but on the trust and reliability of the world’s critical infrastructure in order to advance one nation’s intelligence agency,” he added. “While the most recent attack appears to reflect a particular focus on the United States and many other democracies, it also provides a powerful reminder that people in virtually every country are at risk and need protection irrespective of the governments they live under.”

Russia has denied responsibility, though both former Attorney General William Barr and Secretary of State Mike Pompeo said publicly this month that they believed Russian hackers were behind the wide-reaching incident. 

President Trump was slow to address the hack, only once publicly commenting on it in a tweet earlier this month that suggested China was actually behind it. The Chinese government had denied responsibility, and no evidence had publicly been disclosed linking it to the attack on SolarWinds.

Lawmakers on both sides of the aisle have called for a strong response following the hack, while President-elect Joe Biden described the incident as “a grave risk to our national security,” vowing this week to modernize U.S. defense systems to better defend against cyber threats.