Microsoft admitted last night that hackers gained more access to its internal infrastructure than previously thought. But it’s not as serious as you might expect.
“As we previously reported, we detected malicious SolarWinds applications in our environment, which we isolated and removed,” a post to the Microsoft Security Response Center explains. “Having investigated further, we can now report that we have not found evidence of the common TTPs (tools, techniques[,] and procedures) related to the abuse of forged [Security Assertion Markup Language (SAML)] tokens against our corporate domains.”
Microsoft has found no evidence of access to production services or customer data and no indications that its systems were used to attack others. However, it has found since the initial investigation that state-sponsored Russian hackers viewed, but were not able to modify, some of its source code.
“We discovered one account had been used to view source code in a number of source code repositories,” the post continues. “The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated.”
So why isn’t this as serious as it sounds? Two reasons.
First, as the company explains, Microsoft uses what it calls an “inner source approach” to software development that combines open-source software development best practices and an open source-like culture to make its source code viewable to employees within Microsoft. “This means we do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code,” Microsoft says. “So viewing source code isn’t tied to elevation of risk. We plan our security with an ‘assume breach’ philosophy and layer in defense-in-depth protections and controls to stop attackers sooner when they do gain access.”
Second, Microsoft already shares the source code for its most important products with governments and large corporations. The Russian hack of Microsoft and numerous other large corporations and governmental institutions probably had numerous goals, but usurping Microsoft’s source code wasn’t one of them.