Microsoft said Thursday that the far-reaching Russian hack by US government agencies and private companies had penetrated its network further than the company had previously understood.
While the hackers, who presumably work for the Russian secret service SVR, apparently did not use Microsoft’s systems to attack other victims, they were able to view the Microsoft source code through an employee account.
Microsoft said the hackers couldn’t get into email or their products and services, and that they couldn’t change the source code displayed. No information was given on how long hackers had been on the networks or what source code of the products was displayed. Microsoft originally said it was not injured in the attack.
“Our investigation of our own environment has revealed no evidence of access to manufacturing services or customer data,” the company said in a blog post. “The ongoing investigation also found no evidence that our systems were used to attack others.”
The hack, which may still be ongoing, appears to have started as early as October 2019. At the time, hackers breached SolarWinds, a Texan company that provides technology monitoring services to government agencies and 425 of the Fortune 500 companies. The compromised software was then used to break into the Commerce, Treasury, State and Energy departments, along with FireEye, a leading cybersecurity company that first exposed the breach last month.
Investigators are still trying to understand what the hackers stole, and active investigations suggest that the attack is more widespread than originally thought. Last week, CrowdStrike, a FireEye competitor, announced that it had been unsuccessfully attacked by the same attackers. In this case, the hackers used Microsoft resellers, companies that sell software on Microsoft’s behalf, to try to gain access to their systems.
The Department of Homeland Security has confirmed that SolarWinds was just one of several ways the Russians attacked American agencies, tech and cybersecurity companies.
President Trump has publicly suggested that China, not Russia, may have been the culprit behind the hack – a finding that has been denied by Secretary of State Mike Pompeo and other senior members of the administration. Mr Trump has also privately referred to the attack as a “joke”.
President-elect Joseph R. Biden Jr. has accused Mr. Trump of downplaying the hack, saying his administration will not be able to trust the software and networks that federal agencies rely on to do business.
Ron Klain, Mr Biden’s chief of staff, said the administration was planning a response beyond sanctions.
“Those responsible will have consequences,” Klain told CBS last week. “It’s not just sanctions. There are also steps and things we could do to reduce the ability of foreign actors to repeat this type of attack or, worse, carry out more dangerous attacks. “
Security experts said the scope of the hack cannot be fully known yet. SolarWinds has announced that its compromised software has found its way onto 18,000 networks of its customers. While SolarWinds, Microsoft, and FireEye believe the number of actual casualties could be limited to dozens, ongoing research suggests the number could be much larger.
“This hack is far worse and more powerful than we realize today,” said Dmitri Alperovitch, chairman of the Silverado Policy Accelerator and former chief technology officer at CrowdStrike. “We should be prepared for the fact that many more shoes will fall in the coming months.”
American officials are still trying to understand whether the hack was traditional espionage, similar to what the National Security Agency does with foreign networks, or whether the Russians built so-called backdoors into systems at government agencies, large corporations, the power grid, and the United States have nuclear weapons labs for future attacks.
Officials believe the hack stopped on unclassified systems but are concerned about sensitive unclassified data that the hackers may have obtained.
Microsoft said Thursday that its investigation found unusual activity on a small number of employee accounts. It was then found that one was used to display “a number of source code repositories”.
“The account did not have permission to change any code or technical systems, and our investigation also confirmed that no changes were made,” the company said on its blog post.
Unlike many technology companies, Microsoft does not rely on the secrecy of its source code to keep its products safe. Employees can easily view the source code, and the risk models assume that attackers can access it immediately, which suggests that the consequences of the breach could be limited.
Some government officials have been frustrated that Microsoft, which for a private company may have the largest window into global cyber activity, did not recognize the government and alerted them to the hack sooner. Federal agencies and intelligence agencies learned of the SolarWinds breach from FireEye.
Brad Smith, president of Microsoft, said the hack was a government failure to share threat intelligence intelligence between government agencies and the private sector. In a December interview, he called the hack a “moment of reckoning”.
“How will our government react to this?” Asked Mr. Smith. “It feels like the nation has lost sight of the lessons of September 11th. Twenty years after something terrible happened, people forget what they need to do to be successful. “