SolarWinds hackers studied Microsoft source code for authentication and email

By Joseph Menn

SAN FRANCISCO (Reuters) – The hackers behind the worst intrusion of U.S. government agencies in years won access to Microsoft’s secret source code for authenticating customers, potentially aiding one of their main attack methods.

Microsoft said in a blog post on Thursday that its internal investigation had found the hackers studied parts of the source code instructions for its Azure cloud programs related to identity and security, its Exchange email programs, and Intune management for mobile devices and applications. https://msrc-blog.microsoft.com/2021/02/18/microsoft-internal-solorigate-investigation-final-update

Some of the code was downloaded, the company said, which would have allowed the hackers even more freedom to hunt for security vulnerabilities, create copies with new flaws, or examine the logic for ways to exploit customer installations.

Microsoft had said before that the hackers had accessed some source code, but had not said which parts, or that any had been copied.

U.S. authorities said Wednesday the breaches revealed in December extended to nine federal agencies and 100 private companies, including major technology providers and security firms. They said the Russian government is likely behind the spree, which Moscow has denied.

Initially discovered by security provider FireEye Inc, the hackers used advanced skills to insert software back doors for spying into widely used network-management programs distributed by Texas-based SolarWinds Corp.

At the most prized of the thousands of SolarWinds customers that were exposed last year, the hackers added new Azure identities, added greater rights to existing identities, or otherwise manipulated the Microsoft programs, largely to steal email.

Some hacking also used such methods at targets which did not use SolarWinds. Microsoft previously acknowledged that some of its resellers, who often have continual access to customer systems, had been used in the hacks. It continues to deny that flaws in anything it provides directly have been used as an initial attack vector.

Microsoft declined to answer Reuters’ questions about which parts of its code had been downloaded or whether what the hackers discovered would have helped them hone techniques.

The company also declined to say whether it was changing any of its code as a result of the breach.

The Department of Homeland Security did not respond to questions.

The company said Thursday it had completed its probe and that it had “found no indications that our systems at Microsoft were used to attack others.”

Nevertheless, the problems with identity management have proved so pervasive in the recent attacks that multiple security companies have issued new guidelines and warnings as well tools for detecting misuse.

President Joe Biden has promised a response to the SolarWinds hacks, and an inquiry and remediation effort is being led by his top cybersecurity official, Deputy National Security Advisor Anne Neuberger.

The Senate Intelligence Committee will hold a hearing on the hacks Tuesday with witnesses including Microsoft President Brad Smith and FireEye Chief Executive Kevin Mandia.

(Reporting by Joseph Menn; Editing by Jonathan Oatis and Christopher Cushing)