
Microsoft admitted Thursday that the suspected Russian government hackers’ presence in its environment went beyond the software giant simply downloading malicious SolarWinds Orion code.
“We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories,” the Microsoft Security Response Center wrote in a blog post Thursday.
The compromised Microsoft account didn’t have permissions to modify any code or engineering systems, and an investigation confirmed no changes were made, according to the company. Microsoft said it investigated and remediated the internal accounts with unusual activity.
[Related: CrowdStrike Fends Off Attack Attempted By SolarWinds Hackers]
Microsoft didn’t indicate what type of source code was accessed. The company’s stock was up $0.74 (0.33 percent) in trading Thursday to $222.42 per share.
“We do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code,” Microsoft wrote in its blog post. “So viewing source code isn’t tied to elevation of risk.”
Microsoft’s disclosure comes a week after CrowdStrike said hackers believed to be with the Russian foreign intelligence service unsuccessfully attempted to hack the endpoint security firm via a Microsoft reseller’s Azure account. The reseller’s Azure account was used for managing CrowdStrike’s Microsoft Office licenses, and the hackers failed in their attempt to read the company’s email, CrowdStrike said.
Microsoft told CRN Dec. 24 that if a customer buys a cloud service from a reseller and allows the reseller to retain administrative access, then a compromise of reseller credentials would grant access to the customer’s tenant. The abuse of access would not be a compromise of Microsoft’s services themselves, according to the company.
Reuters reported Dec. 17 that Microsoft was compromised via SolarWinds, with suspected Russian hackers then using Microsoft’s own products to further the attacks on other victims. Microsoft said at the time that sources for the Reuters report are “misinformed or misinterpreting their information,” but acknowledged the software giant had “detected malicious SolarWinds binaries” in its environment.
Microsoft reaffirmed Thursday that it’s found no indications that its systems were used to attack others. The company additionally hasn’t found any evidence that the SolarWinds hackers gained access to Microsoft’s production services or customer data.
Then on Dec. 21, The New York Times reported that the SolarWinds hackers had seized upon a Microsoft flaw to infiltrate the email system used by the U.S. Treasury Department’s senior leadership. The hackers performed a complex step inside Microsoft Office 365 to create an encrypted “token” that tricked the Treasury’s system into thinking the hackers were legitimate users, The New York Times said.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said Dec. 17 it had observed the hackers adding authentication tokens and credentials to highly privileged Microsoft Active Directory domain accounts as a persistence and escalation mechanism. In many instances, CISA said the tokens enable access to both on-premise and hosted resources.
One of the principal ways the hacker is collecting victim information is by compromising the Security Assertion Markup Language (SAML) signing certificate using their escalated Active Directory privileges, CISA said. Hosted email services, hosted business intelligence applications, travel systems, timecard systems, and file storage services (such as SharePoint) commonly use SAML, according to CISA.
Microsoft, however, said Thursday that it hasn’t any found any evidence that the SolarWinds hackers abused forged SAML tokens against the company’s own corporate domains. All malicious SolarWinds applications in Microsoft’s environments have been isolated and removed, according to the company.
“This activity has not put at risk the security of our services or any customer data, but we want to be transparent and share what we’re learning as we combat what we believe is a very sophisticated nation-state actor,” Microsoft wrote in its blog.
related stories
Video
trending stories
sponsored resources

Cysurance
Cyber Insurance 360

Tenable
Cyber Risk 360

Application Integration 360

Carbonite
Cloud Storage 360

NPD
Industry Trends 360

Veeam
Veeam

Comcast Business
Comcast Business Learning Center

Cato Networks
SASE & SD-WAN 360

CyberPower
CyberPower

Channel Chief Showcase

CRN Showcase

APC by Schneider Electric
Digital Services for Edge Learning Center

Dell Technologies
Dell Technologies Cloud Learning Center

Dell Technologies
Dell Technologies Server Learning Center

Dell Technologies
Dell Technologies Storage Learning Center

BlackBerry
BlackBerry Learning Center

Fujifilm
Fujifilm

Acer
Remote Workforce 360

Webroot
Webroot Learning Center

Cyber Protection 360

Cradlepoint
5g for Business 360

Smart 3rd Party
3rd Party Maintenance 360

Trend Micro
Trend Micro Learning Center

HubStor
Cloud Backup 360

iboss
Cloud SASE Platform 360

Sherweb
Sherweb

Vonage
Vonage

Vertiv
Edge Computing Learning Center

Comm100
Collaboration & Communications 360

VMware

EPOS
EPOS

Sophos
Sophos Cybersecurity Learning Center

Partner Program Guide Showcase

Dell Technologies
Microsoft HCI Solutions from Dell Technologies Learning Center

Wasabi
Wasabi

Hitachi Vantara
Hitachi Vantara

Terranova Security
Cybersecurity 360
