Microsoft Concludes Its SolarWinds Investigation

Posted on February 19, 2021 by Paul Thurrott in Microsoft with 4 Comments

In December, Microsoft began an investigation into a SolarWinds-based breach of its internal systems. That investigation is now complete, and the software giant says that no customer data was compromised.

“We have now completed our internal investigation into the activity of the actor [in the SolarWinds breach] and want to share our findings, which confirm that we found no evidence of access to production services or customer data,” a new Microsoft Security Response Center blog post explains. “The investigation also found no indications that our systems at Microsoft were used to attack others. Because of our defense-in-depth protections, the actor was also not able to gain access to privileged credentials or leverage the SAML techniques against our corporate domains.”

According to the new post, Microsoft continued to witness repeated attempts by this unnamed actor to access its internal systems, albeit unsuccessfully, through early January. At no time were any product or service code repositories fully compromised, and in those cases where code repositories were accessed, the actor only viewed a small handful of files. The repositories that were accessed included those for Azure, Intune, and Exchange, and in each case, it was a small subset of the full repository.

“The search terms used by the actor indicate the expected focus on attempting to find secrets,” Microsoft explains. “Our development policy prohibits secrets in code and we run automated tools to verify compliance. Because of the detected activity, we immediately initiated a verification process for current and historical branches of the repositories. We have confirmed that the repositories complied and did not contain any live, production credentials.”

As Microsoft explained when the SolarWinds hack came to light in late 2020, the software giant uses what it calls a Zero Trust model for its internal systems in which it always assumes it is being breached, thus requiring explicit verification of “the security status of identity, endpoint, network, and other resources based on all available signals and data.” This helped prevent any widespread damage, and Microsoft now provides guidance for other enterprises so that they can adopt this model and protect themselves.

Tagged with

Elevate the Conversation!

Join Thurrott Premium to enjoy our Premium comments.

Premium member comments on news posts will feature an elevated status that increases their visibility. This tab would allow you to participate in Premium comments with other premium members. Register to join the other Premium members in elevating the conversation!

Register or Subscribe

Join the discussion!


Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate