Microsoft Concludes Its SolarWinds Investigation

Posted on February 19, 2021 by Paul Thurrott in Microsoft with 4 Comments

In December, Microsoft began an investigation into a SolarWinds-based breach of its internal systems. That investigation is now complete, and the software giant says that no customer data was compromised.

“We have now completed our internal investigation into the activity of the actor [in the SolarWinds breach] and want to share our findings, which confirm that we found no evidence of access to production services or customer data,” a new Microsoft Security Response Center blog post explains. “The investigation also found no indications that our systems at Microsoft were used to attack others. Because of our defense-in-depth protections, the actor was also not able to gain access to privileged credentials or leverage the SAML techniques against our corporate domains.”

According to the new post, Microsoft continued to witness repeated attempts by this unnamed actor to access its internal systems, albeit unsuccessfully, through early January. At no time were any product or service code repositories fully compromised, and in those cases where code repositories were accessed, the actor only viewed a small handful of files. The repositories that were accessed included those for Azure, Intune, and Exchange, and in each case, it was a small subset of the full repository.

“The search terms used by the actor indicate the expected focus on attempting to find secrets,” Microsoft explains. “Our development policy prohibits secrets in code and we run automated tools to verify compliance. Because of the detected activity, we immediately initiated a verification process for current and historical branches of the repositories. We have confirmed that the repositories complied and did not contain any live, production credentials.”

As Microsoft explained when the SolarWinds hack came to light in late 2020, the software giant uses what it calls a Zero Trust model for its internal systems in which it always assumes it is being breached, thus requiring explicit verification of “the security status of identity, endpoint, network, and other resources based on all available signals and data.” This helped prevent any widespread damage, and Microsoft now provides guidance for other enterprises so that they can adopt this model and protect themselves.

Tagged with

Join the discussion!

BECOME A THURROTT MEMBER:

Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Register
Comments (3)

3 responses to “Microsoft Concludes Its SolarWinds Investigation”

  1. Avatar

    coeus89

    It seems that they have a pretty effective model for reducing the impact of breaches. Good stuff. I hope other companies emulate.

  2. Avatar

    Username

    That picture, with books used to prop up non-adjustable monitor stand obliterates any semblance of Apple's ergonomic design priority.

  3. Avatar

    red.radar

    i am not a software developer. What does the policy about "secrets" mean? How can you automate compliance to that? Is it just they semantically analyzing comments? Or is this just a comment on their project managment techniques and they have no work done that is not approved by a systems engineer preventing undocumented functions, structures from entering code.

Leave a Reply