Microsoft Concludes Its SolarWinds Investigation
- Paul Thurrott
- Feb 19, 2021
-
3
In December, Microsoft began an investigation into a SolarWinds-based breach of its internal systems. That investigation is now complete, and the software giant says that no customer data was compromised.
“We have now completed our internal investigation into the activity of the actor [in the SolarWinds breach] and want to share our findings, which confirm that we found no evidence of access to production services or customer data,” a new Microsoft Security Response Center blog post explains. “The investigation also found no indications that our systems at Microsoft were used to attack others. Because of our defense-in-depth protections, the actor was also not able to gain access to privileged credentials or leverage the SAML techniques against our corporate domains.”
Windows Intelligence In Your Inbox
Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!
"*" indicates required fields
According to the new post, Microsoft continued to witness repeated attempts by this unnamed actor to access its internal systems, albeit unsuccessfully, through early January. At no time were any product or service code repositories fully compromised, and in those cases where code repositories were accessed, the actor only viewed a small handful of files. The repositories that were accessed included those for Azure, Intune, and Exchange, and in each case, it was a small subset of the full repository.
“The search terms used by the actor indicate the expected focus on attempting to find secrets,” Microsoft explains. “Our development policy prohibits secrets in code and we run automated tools to verify compliance. Because of the detected activity, we immediately initiated a verification process for current and historical branches of the repositories. We have confirmed that the repositories complied and did not contain any live, production credentials.”
As Microsoft explained when the SolarWinds hack came to light in late 2020, the software giant uses what it calls a Zero Trust model for its internal systems in which it always assumes it is being breached, thus requiring explicit verification of “the security status of identity, endpoint, network, and other resources based on all available signals and data.” This helped prevent any widespread damage, and Microsoft now provides guidance for other enterprises so that they can adopt this model and protect themselves.