Microsoft says SolarWinds hackers downloaded some Azure, Exchange, and Intune source code

Microsoft's security team said today it has formally completed its investigation into its SolarWinds-related breach and found no evidence that hackers abused its internal systems or official products to pivot and attack end-users and business customers.

The OS maker began investigating the breach in mid-December after it was discovered that Russian-linked hackers breached software vendor SolarWinds and inserted malware inside the Orion IT monitoring platform, a product that Microsoft had also deployed internally.

In a blog post published on December 31, Microsoft said it discovered that hackers used the access they gained through the SolarWinds Orion app to pivot to Microsoft's internal network, where they accessed the source code of several internal projects.

"Our analysis shows the first viewing of a file in a source repository was in late November and ended when we secured the affected accounts," the company said today, in its final report into the SolarWinds-related breach.

Microsoft said that after cutting off the intruder's access, the hackers continued to try to access Microsoft accounts throughout December and even up until early January 2021, weeks after the SolarWinds breach was disclosed, and even after Microsoft made it clear they were investigating the incident.

"There was no case where all repositories related to any single product or service was accessed," the company's security team said today. "There was no access to the vast majority of source code."

Instead, the OS maker said intruders viewed "only a few individual files [...] as a result of a repository search."

Microsoft said that based on the search queries attacker performed inside their code repositories, the intruders appeared to have been focused on locating secrets (aka access token) that they could be used to expand their access to other Microsoft systems.

The Redmond company said these searches failed because of internal coding practices that prohibited developers from storing secrets inside source code.

Some source code was also downloaded

But beyond viewing files, the hackers also managed to download some code. However, Microsoft said the data was not extensive and that the intruders only downloaded the source code of a few components related to some of its cloud-based products.

Per Microsoft, these repositories contained code for:

• a small subset of Azure components (subsets of service, security, identity)
• a small subset of Intune components
• a small subset of Exchange components

All in all, the incident doesn't appear to have damaged Microsoft's products or have led to hackers gaining extensive access to user data.

SolarWinds Updates

SolarWinds: The more we learn, the worse it looks

CISA: US govt agencies must update right away

A second hacking group targets SolarWinds systems

Hackers accessed Microsoft source code

Microsoft quarantines trojanized apps

Microsoft identifies 40+ victims, most in US

Microsoft and industry partners seize key domain used in hack

SEC filing: 18,000 customers impacted

Breach is not a marketing opportunity

• SolarWinds: The more we learn, the worse it looks
• CISA: US govt agencies must update right away
• A second hacking group targets SolarWinds systems
• Hackers accessed Microsoft source code
• Microsoft quarantines trojanized apps
• Microsoft identifies 40+ victims, most in US
• Microsoft and industry partners seize key domain used in hack
• SEC filing: 18,000 customers impacted
• Breach is not a marketing opportunity