Microsoft Says Russian Hackers Viewed Some of its Source Code

Microsoft admitted last night that hackers gained more access to its internal infrastructure than previously thought. But it’s not as serious as you might expect.

“As we previously reported, we detected malicious SolarWinds applications in our environment, which we isolated and removed,” a post to the Microsoft Security Response Center explains. “Having investigated further, we can now report that we have not found evidence of the common TTPs (tools, techniques[,] and procedures) related to the abuse of forged [Security Assertion Markup Language (SAML)] tokens against our corporate domains.”

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Microsoft has found no evidence of access to production services or customer data and no indications that its systems were used to attack others. However, it has found since the initial investigation that state-sponsored Russian hackers viewed, but were not able to modify, some of its source code.

“We discovered one account had been used to view source code in a number of source code repositories,” the post continues. “The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated.”

So why isn’t this as serious as it sounds? Two reasons.

First, as the company explains, Microsoft uses what it calls an “inner source approach” to software development that combines open-source software development best practices and an open source-like culture to make its source code viewable to employees within Microsoft. “This means we do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code,” Microsoft says. “So viewing source code isn’t tied to elevation of risk. We plan our security with an ‘assume breach’ philosophy and layer in defense-in-depth protections and controls to stop attackers sooner when they do gain access.”

Second, Microsoft already shares the source code for its most important products with governments and large corporations. The Russian hack of Microsoft and numerous other large corporations and governmental institutions probably had numerous goals, but usurping Microsoft’s source code wasn’t one of them.

Share post

Please check our Community Guidelines before commenting

Conversation 15 comments

  • oscar1

    01 January, 2021 - 11:03 am

    <p>Do we really know for sure that the cyber espionage was a "state-sponsored Russian" one? </p>

    • wright_is

      Premium Member
      01 January, 2021 - 11:44 am

      <blockquote><em><a href="#604611">In reply to oscar1:</a></em></blockquote><p>All the hallmarks of Cozy Bear are smeared over the hacks. Each hacking team leaves their own "fingerprint" behind, a short of calling card or modus operandi. </p><p>The Teams doing the clean up of the networks after the hack was discovered say that it has Cozy Bear's fingerprint. </p><p>That is not definitive proof, but it means either it was the Russian state sponsored group, or somebody went to a lot of trouble to hide their own tracks and make it look like Cozy Bear. </p>

      • ngc224

        01 January, 2021 - 1:40 pm

        <blockquote><em><a href="#604615">In reply to wright_is:</a></em></blockquote><p>I would guess the latter: “or somebody went to a lot of trouble to hide their own tracks and make it look like Fancy Bear.”</p><p><br></p><p>In fact, I’d guess it was Microsoft itself demonstrating the security of their new, open-source software development.</p><p><br></p><p>The clue was “inner source approach.” Clever Microsoft, but not clever enough.</p>

        • wright_is

          Premium Member
          01 January, 2021 - 2:23 pm

          <blockquote><em><a href="#604618">In reply to ngc224:</a></em></blockquote><p>I very much doubt Microsoft went to the trouble of hacking Solar Winds and most of the fortune 500, governments around the world, just to show how robust their development procedure is. </p>

      • oscar1

        01 January, 2021 - 2:13 pm

        <blockquote><em><a href="#604615">In reply to wright_is:</a></em></blockquote><p>You have clearly not ben paying much attention to this case. It is Cozy Bear, affiliated with SVR (Russias CIA) that is claimed to been behind this, not Fancy Bear, that group belongs to their military intelligence service, GRU.</p><p>I think you need to read up on this before spreading further false information.</p>

        • wright_is

          Premium Member
          01 January, 2021 - 2:26 pm

          <blockquote><em><a href="#604621">In reply to oscar1:</a></em></blockquote><p>I was out and about, when I wrote my reply and mixed up the two, my mistake. I have corrected my original post to reflect your correction. </p>

        • Paul Thurrott

          Premium Member
          02 January, 2021 - 9:31 am

          Dear God.

          Please. It’s 2021. Let’s make basic decency a thing again.

      • ngc224

        01 January, 2021 - 8:55 pm

        <blockquote><em><a href="#604615">In reply to wright_is:</a></em></blockquote><p>I think you’re missing the point. Microsoft didn’t orchestrate the hack, but they tried to exploit it to their own ends.</p><p><br></p><p>“All the hallmarks of Cozy Bear” was used to justify years of Russiagate.</p><p><br></p>

        • wright_is

          Premium Member
          02 January, 2021 - 1:11 am

          <blockquote><em><a href="#604712">In reply to ngc224:</a></em></blockquote><p>Russiagate is a uniquely US thing. </p><p>Given that independent security experts around the world, who have no iron in the fire that is US political rhetoric, are saying it was the Russians, I would say Russiagate is a red herring. </p>

    • anoldamigauser

      Premium Member
      01 January, 2021 - 1:50 pm

      <blockquote><em><a href="#604611">In reply to oscar1:</a></em></blockquote><p>The only person to suggest otherwise is not known for technical expertise with regard to cyber security, and has repeatedly tried to attribute hacking to any source other than Russia.</p>

      • miamimauler

        01 January, 2021 - 5:56 pm

        <blockquote><em><a href="#604619">In reply to AnOldAmigaUser:</a></em></blockquote><p>As they say, never bite the hand that feeds you.</p><p><br></p><p>Thankfully, that person will be moving house on Jan 20.</p>

    • suhailali

      Premium Member
      01 January, 2021 - 2:25 pm

      <blockquote><em>Ah the fog of war. We'll know with more certainty years later when no one cares but like everyone in the thread is says intelligence agencies only offer probabilities and rarely certainty. <a href="#604611">In reply to oscar1:</a></em></blockquote><p><br></p>

    • lvthunder

      Premium Member
      02 January, 2021 - 5:17 pm

      <blockquote><em><a href="#604611">In reply to oscar1:</a></em></blockquote><p>On Security Now Steve Gibson said that there were two different hacks of Solar Winds. So it could be the Russians and another government. Who knows?</p>

  • winner

    01 January, 2021 - 1:53 pm

    <p>…and they were appalled at what they saw…</p>

  • beewacker

    Premium Member
    03 January, 2021 - 1:21 pm

    <p>It's my understanding the Russians quit looking when they read "all your base are belong to us" in Microsoft's code.</p>

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Thurrott © 2024 Thurrott LLC