In December, Microsoft confirmed that it had downloaded the compromised SolarWinds Orion software update that contained the Sunburst/Solarigate backdoor. Microsoft previously announced that the backdoor had been detected but no evidence had been found to indicate its software was compromised and used in similar supply chain attacks on its customers.
Investigations into the breach have been continuing and Microsoft has now confirmed that malicious executables have been detected within its environment. In a December 31, 2020 blog post, Microsoft said the hackers were able to compromise internal accounts and one was used to view the source code of its software. That account did not have sufficient permissions to allow the source code to be altered and no access is believed to have been gained to its engineering systems. Microsoft says that customer data does not appear to have been compromised and no evidence has been found to indicate its systems have been used in attacks on other companies or any of its customers.
Several accounts are known to have been compromised and action has now been taken to terminate further unauthorized access. Microsoft did not disclose what source code was accessed but said several source code repositories were viewed but the unauthorized viewing of its source code is not considered to pose a security risk.
Some Microsoft customers have had their cloud services and email data compromised as part of the broader SolarWinds Orion supply chain attack. Microsoft previously said that more than 40 of its customers have had their Azure accounts compromised via attacks on third party resellers, whose access to customers’ accounts was leveraged to read and steal emails and other data.
Initial reports about the supply chain attack indicate there the victim count is likely to be in the thousands, and while the software update may have been used to infect large numbers of companies with the Sunburst/Solarigate backdoor, further compromises to access the cloud resources of those victims – which appears to be the main purpose of the attack – is believed to be far less extensive with the victim count likely to be in the low hundreds. Even so, this is still a major hacking incident considering several government agencies have been compromised as well as many large enterprises and cybersecurity companies.
The attacks appear to have been conducted for espionage purposes by threat actors with links to Russia. No evidence of network destruction of sabotage has been reported to date.