Microsoft security researchers said today that Russian hackers managed to access more of its network than the company originally believed. However, the company emphasized that even in this case it still did not detect any damage to its systems.
“We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories,” the company wrote in a blog post. “The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated.”
The Russian attack on U.S. government agencies and some U.S. businesses was first disclosed earlier this month, but officials believe it may have been going as early as October 2019. At the center of the cyber storm is SolarWinds, which has become a dominant player in the market for network monitoring services.
SolarWinds provides tools to many large government agencies as well as most of the Fortune 500 companies. The company disclosed that more than 18,000 customers had downloaded a software update that let hackers spy for months undetected in an event now known as “Solorigate.”
Microsoft had previously disclosed that it had found malicious SolarWinds software in its systems. The company has continued to investigate the incident and said it remains confident that Microsoft systems were not used to launch further attacks. In the latest disclosure, Microsoft also said that internal emails, services, and products were also not accessed by hackers and that no source code was changed.
Regarding the viewing of source code, Microsoft also downplayed the risks for reasons that also point to a fundamental evolution at the company over the past decade. Microsoft said much of its source code is open source, and therefore already easily viewable externally. Getting a glimpse under the hood wouldn’t have given the hackers any information that essentially wasn’t already publicly available.
“We do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code,” the company said. “So viewing source code isn’t tied to elevation of risk.”
Still, the latest disclosure is just the latest sign that industry players and government officials are racing to understand the extent of a hack that has become both a security and political scandal.