WASHINGTON (Reuters) – The hacking group behind SolarWinds’ commitment was able to break into Microsoft Corp and gain access to some of its source code, Microsoft said on Thursday, which experts said went send a worrying signal about the ambition of the spies.
Source code, the underlying set of instructions that run a program or operating system, is usually among the most guarded secrets of a technology company, and Microsoft has historically been particularly cautious in protecting it.
It is unclear how many or what parts of Microsoft’s source code repositories were able to access hackers, but the disclosure suggests that hackers who used software company SolarWinds as a springboard to break into sensitive U.S. government networks they were also interested in discovering internal workings of Microsoft products as well.
Microsoft had already revealed that, like other companies, it found malicious versions of SolarWinds software on its network, but the disclosure of the source code (published in a blog post) is new. After Reuters reported that it was breached two weeks ago, Microsoft said it had “not found any evidence of access to production services.”
Three people informed about the matter said that Microsoft had known for days that the source code had been accessed. A Microsoft spokesman said security employees had been working “all day” and that “when there is information to share, they have posted and shared it.”
SolarWinds hacking is one of the most ambitious cyber operations ever revealed, involving at least half a dozen federal agencies and potentially thousands of companies and other institutions. U.S. and private sector researchers have spent the holidays combing through records to try to understand whether their data has been stolen or altered.
Changing the source code – which Microsoft said hackers did not – could have potentially disastrous consequences given the ubiquity of Microsoft products, which include the Office productivity package and the Windows operating system. But experts said that even with the ability to review code, you could offer information to hackers that could help them subvert Microsoft products or services.
“Source code is the architectural blueprint for how software is built,” said Andrew Fife of Cycode, an Israel-based source code protection company.
“If you have the plan, it’s much easier to create attacks.”
Matt Tait, an independent cybersecurity researcher, agreed that the source code could be used as a roadmap to help hack Microsoft products, but also warned that elements of the company’s source code were already widely shared, for example with foreign governments. He said he doubted Microsoft had made the common mistake of leaving cryptographic keys or passwords in the code.
“It won’t affect the safety of its customers, at least not substantially,” Tait said.
Microsoft noted that it allows wide internal access to its code and former employees agreed that it is more open than other companies.
In its blog post, Microsoft said it had found no evidence of access to “production services or customer data.”
“The investigation, which is ongoing, has also found no evidence that our systems were used to attack others,” he said.
Reuters reported a week ago that Microsoft-authorized resellers were hacked and took advantage of their access to productivity programs within the targets in attempts to read the email. Microsoft has acknowledged that access to some vendors has been misused, but has not said how many resellers or customers may have been breached.
Requests for comments from the FBI, which is investigating the hacking campaign, and the Department of Homeland Security’s Cybersecurity and Infrastructure Agency were not responded to.
U.S. officials have attributed the SolarWinds piracy campaign to Russia, a complaint the Kremlin denies.
Both Tait and Ronen Slavin, Cycode’s chief technology officer, said an unanswered key question was which source code repositories were accessed. Microsoft has a wide range of products, from widely used Windows to lesser known programs such as the Yammer social networking app and the Sway design app.
Slavin said he was concerned about the possibility of SolarWinds hackers analyzing Microsoft’s source code as a prelude to a much more ambitious offensive.
“For me, the biggest question is,‘ Was this rebuild for the next big operation? ’” He said.
Report by Raphael Satter and Joseph Menn; Edited by Chris Reese, Diane Craft and Daniel Wallis