Microsoft analysts continue to examine the supply chain attack that SolarWinds and its customers have been hit recently. It looks like the hackers behind the attack on SolarWinds gained deeper access to Microsoft’s systems than the company previously disclosed.
Microsoft has acknowledged that the attackers managed to gain access to a small number of internal accounts, which they used to access source code repositories for some of their products.
“We detected unusual activity in a small number of internal accounts and, upon review, we discovered that one of the accounts had been used to view the source code of various repositories,” explains Microsoft from its Security Response Center.
The Redmond-based company said its investigation is still ongoing, but downplayed the incident by ensuring that the ability to view the source code was not tied to the increased security risk. Microsoft also acknowledged that it had found evidence of other unauthorized activity attempts that were neutralized by its internal protections.
In a separate analysis published by Microsoft on December 28, the company called the attack a “cross-domain compromise” that allowed attackers to insert malicious code into SolarWinds-certified binaries in its “Orion” monitoring and control software and exploit it to continue operating without being detected and access the resources of the cloud servers of the companies that used it.
The SolarWinds hack was the worst cybersecurity incident of 2020. Last month unknown malefactors attacked SolarWinds and infected its Orion platform with malware. Among the victims were such giants as Microsoft, Cisco, FireEye, as well as many US government agencies, including the State Department and the National Nuclear Safety Administration.
The assault, allegedly carried out by one of those groups of cybercriminals who act on behalf and under the umbrella of certain countries — in this case, APT29 is suspected, which is related to the Russian intelligence service.