Microsoft Says Russian Hackers Viewed Some of its Source Code

Posted on January 1, 2021 by Paul Thurrott in Cloud, Dev, Microsoft with 14 Comments

Microsoft admitted last night that hackers gained more access to its internal infrastructure than previously thought. But it’s not as serious as you might expect.

“As we previously reported, we detected malicious SolarWinds applications in our environment, which we isolated and removed,” a post to the Microsoft Security Response Center explains. “Having investigated further, we can now report that we have not found evidence of the common TTPs (tools, techniques[,] and procedures) related to the abuse of forged [Security Assertion Markup Language (SAML)] tokens against our corporate domains.”

Microsoft has found no evidence of access to production services or customer data and no indications that its systems were used to attack others. However, it has found since the initial investigation that state-sponsored Russian hackers viewed, but were not able to modify, some of its source code.

“We discovered one account had been used to view source code in a number of source code repositories,” the post continues. “The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated.”

So why isn’t this as serious as it sounds? Two reasons.

First, as the company explains, Microsoft uses what it calls an “inner source approach” to software development that combines open-source software development best practices and an open source-like culture to make its source code viewable to employees within Microsoft. “This means we do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code,” Microsoft says. “So viewing source code isn’t tied to elevation of risk. We plan our security with an ‘assume breach’ philosophy and layer in defense-in-depth protections and controls to stop attackers sooner when they do gain access.”

Second, Microsoft already shares the source code for its most important products with governments and large corporations. The Russian hack of Microsoft and numerous other large corporations and governmental institutions probably had numerous goals, but usurping Microsoft’s source code wasn’t one of them.

Join the discussion!


Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Comments (14)

14 responses to “Microsoft Says Russian Hackers Viewed Some of its Source Code”

  1. oscar1

    Do we really know for sure that the cyber espionage was a "state-sponsored Russian" one?

    • wright_is

      In reply to oscar1:

      All the hallmarks of Cozy Bear are smeared over the hacks. Each hacking team leaves their own "fingerprint" behind, a short of calling card or modus operandi.

      The Teams doing the clean up of the networks after the hack was discovered say that it has Cozy Bear's fingerprint.

      That is not definitive proof, but it means either it was the Russian state sponsored group, or somebody went to a lot of trouble to hide their own tracks and make it look like Cozy Bear.

      • ngc224

        In reply to wright_is:

        I would guess the latter: “or somebody went to a lot of trouble to hide their own tracks and make it look like Fancy Bear.”

        In fact, I’d guess it was Microsoft itself demonstrating the security of their new, open-source software development.

        The clue was “inner source approach.” Clever Microsoft, but not clever enough.

        • wright_is

          In reply to ngc224:

          I very much doubt Microsoft went to the trouble of hacking Solar Winds and most of the fortune 500, governments around the world, just to show how robust their development procedure is.

      • oscar1

        In reply to wright_is:

        You have clearly not ben paying much attention to this case. It is Cozy Bear, affiliated with SVR (Russias CIA) that is claimed to been behind this, not Fancy Bear, that group belongs to their military intelligence service, GRU.

        I think you need to read up on this before spreading further false information.

      • ngc224

        In reply to wright_is:

        I think you’re missing the point. Microsoft didn’t orchestrate the hack, but they tried to exploit it to their own ends.

        “All the hallmarks of Cozy Bear” was used to justify years of Russiagate.

        • wright_is

          In reply to ngc224:

          Russiagate is a uniquely US thing.

          Given that independent security experts around the world, who have no iron in the fire that is US political rhetoric, are saying it was the Russians, I would say Russiagate is a red herring.

    • anoldamigauser

      In reply to oscar1:

      The only person to suggest otherwise is not known for technical expertise with regard to cyber security, and has repeatedly tried to attribute hacking to any source other than Russia.

    • suhailali

      Ah the fog of war. We'll know with more certainty years later when no one cares but like everyone in the thread is says intelligence agencies only offer probabilities and rarely certainty. In reply to oscar1:

    • lvthunder

      In reply to oscar1:

      On Security Now Steve Gibson said that there were two different hacks of Solar Winds. So it could be the Russians and another government. Who knows?

  2. winner

    ...and they were appalled at what they saw...

  3. beewacker

    It's my understanding the Russians quit looking when they read "all your base are belong to us" in Microsoft's code.