Hackers behind the SolarWinds attack breached Microsoft and stole proprietary source code including details about how Azure authenticates customers, the company admitted February 18.
Wrapping up its investigation into the breach, Microsoft said the hackers also accessed repositories and downloaded source code relating to Intune and Exchange components — respectively, a cloud-based mobile device and application management platform, and business email server software.
The blog presents the most detail Microsoft has provided thus far about what the extent of its breach in the wake of the SolarWinds compromise that it has touched on only loosely in previous public comments. The company insisted there were “no indications that our systems at Microsoft were used to attack others.”
In a post attributed to the Microsoft Security Response Center (MSRC) team, Microsoft said: “The search terms used by the actor indicate the expected focus on attempting to find secrets. Our development policy prohibits secrets in code and we run automated tools to verify compliance. Because of the detected activity, we immediately initiated a verification process for current and historical branches of the repositories. We have confirmed that the repositories complied and did not contain any live, production credentials.”
The SolarWinds hack resulted in some ~10 US government agencies being breached including the Commerce, Treasury, and Homeland Security departments. Other SolarWinds reportedly investigating whether they were compromised include NATO, the European Parliament, and the UK’s Ministry of Defence, NHS, and Home Office.
The success of the attack, which has been attributed to Russia-backed state actors — and which Microsoft earlier said bears the fingerprints of a stunning 1,000+ developers — nonetheless will trouble policy makers who have contracted Microsoft to provide a cloud for the US’s Department of Defence in a controversial $10 billion so-called “JEDI” contract that will see it “address critical and urgent unmet warfighter requirements for modern cloud infrastructure at all three classification levels delivered out to the tactical edge”.
Microsoft has suffered rather publicly from the attack. The SolarWinds attackers, once they breached SolarWinds customers, used their access to get into to cloud tenants, typically by (once in a network) stealing an Active Directory token-signing certificate and using it to forge tokens that give it cloud access. As many security professionals have noted, these “illicit consent” attacks are difficult to detect; there is no malware involved, and the activity may not raise any alarms within the compromised cloud tenants.
In a January 20 report, Microsoft highlighted the impressive operational security measures of the attackers, which included “methodic avoidance of shared indicators for each compromised host… each Cobalt Strike DLL implant was prepared to be unique per machine and avoided at any cost overlap and reuse of folder name, file name, export function names, C2 domain/IP, HTTP requests, timestamp, file metadata, config, and child process launched. This extreme level of variance was also applied to non-executable entities, such as WMI persistence filter name, WMI filter query, passwords used for 7-zip archives, and names of output log files.”
Microsoft added last month: “Applying this level of permutations for each individual compromised machine is an incredible effort normally not seen with other adversaries and done to prevent full identification of all compromised assets inside a network or effective sharing of threat intel between victims.”