The hackers behind the SolarWinds supply chain attack managed to escalate access inside Microsoft’s internal network and gain access to a small number of internal accounts, which they used to access Microsoft source code repositories, the company said on Thursday.
The OS maker said the hackers did not make any changes to the repositories they accessed because the compromised accounts only had permission to view the code but not alter it.
The news comes as an update to the company’s internal investigation into the SolarWinds incident, posted today on its blog.
Microsoft emphasized that despite viewing some source code, the threat actors did not escalate the attack to reach production systems, customer data, or use Microsoft products to attack Microsoft customers.
The Redmond-based company said its investigation is still ongoing.
Microsoft previously admitted on December 17 that it had used SolarWinds Orion, an IT monitoring platform, inside its internal network.
Days earlier, news broke that hackers breached IT software maker SolarWinds and inserted malware inside updates for the Orion platform. The malware was then used to gain an initial foothold on the internal networks of private companies and government agencies across the world.
Microsoft was one of the thousands of companies[1, 2, 3] that discovered evidence of malware on their networks, planted via tainted Orion updates.
Microsoft downplays incident
The OS maker downplayed today the fact that hackers viewed its internal source code repositories, claiming this was no big deal.
“At Microsoft, we have an inner source approach – the use of open source software development best practices and an open source-like culture – to making source code viewable within Microsoft,” the company said.
“This means we do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code. So viewing source code isn’t tied to elevation of risk,” it added.
Microsoft made this approach to source code secrecy clear in previous years after the source code of several Microsoft products leaked online — such as Windows 10, Windows XP, Windows 2000, Windows Server 2013, Windows NT, and Xbox.