Threat actors downloaded some Microsoft Exchange and Azure code repositories during the sprawling SolarWinds supply-chain attack but did not use the company’s internal systems or products to attack other victims.
That’s the final verdict this week by the tech giant now that it’s completed a comprehensive investigation into the attack, which was discovered in December and continues to have repercussions across the industry.
“We have now completed our internal investigation into the activity of the actor … which confirms that we found no evidence of access to production services or customer data,” the company said in a blog post on its Microsoft Security Response Center published Thursday. “The investigation also found no indications that our systems at Microsoft were used to attack others.”
Texas-based SolarWinds was the primary victim of the now-infamous cyberattack believed to be the work of Russian state-sponsored actors. During the attack, adversaries used SolarWinds’ Orion network management platform to infect users with a stealth backdoor called “Sunburst” or “Solorigate,” which opened the way for lateral movement to other parts of a network.
The backdoor was pushed out via trojanized product updates to almost 18,000 organizations around the globe—including high-profile victims such as the U.S. Department of Homeland Security (DHS) and the Treasury and Commerce departments—starting last spring. Once embedded, the attackers were able to pick and choose which organizations to further penetrate.
Microsoft came out as one of those victims in December, acknowledging that malicious SolarWinds binaries were detected in its environment, which the company immediately isolated and removed, a spokesperson said at the time. Microsoft subsequently began its investigation into the situation following its initial detection of unusual activity.
“Our analysis shows the first viewing of a file in a source repository was in late November and ended when we secured the affected accounts,” the company said in the post. “We continued to see unsuccessful attempts at access by the actor into early January 2021, when the attempts stopped.”
Despite its quick response, there was some fallout from the attack. Threat actors apparently accessed and downloaded source code from a “small number of repositories,” Microsoft said.
These repositories contained code for: A small subset of Azure components including those related to service, security and identity; a small subset of Intune components; and a small subset of Exchange components. However, because of internal protections in place, the repositories did not contain “any live, production credentials,” according to the company.
“The search terms used by the actor indicate the expected focus on attempting to find secrets,” according to Microsoft. “Our development policy prohibits secrets in code and we run automated tools to verify compliance. Because of the detected activity, we immediately initiated a verification process for current and historical branches of the repositories.”
Ultimately, Microsoft’s existing “in-depth protections” prevented the threat actor from gaining access to privileged credentials or leveraging the techniques used in the attack against its corporate domains, the company concluded.
Further Reading:
- SolarWinds Orion Bug Allows Easy Remote-Code Execution and Takeover
- Mimecast Confirms SolarWinds Hack as List of Security Vendor Victims Snowball
- Malwarebytes Hit by SolarWinds Attackers
- SolarWinds Malware Arsenal Widens with Raindrop
- SolarWinds Hack Potentially Linked to Turla APT
- SolarWinds Hires Chris Krebs, Alex Stamos in Wake of Attack
- Microsoft Caught Up in SolarWinds Spy Effort, Joining Federal Agencies
- Sunburst’s C2 Secrets Reveal Second-Stage SolarWinds Victims
- Nuclear Weapons Agency Hacked in Widening Cyberattack
- The SolarWinds Perfect Storm: Default Password, Access Sales and More
- DHS Among Those Hit in Sophisticated Cyberattack by Foreign Adversaries
- FireEye Cyberattack Compromises Red-Team Security Tools
Is your small- to medium-sized business an easy mark for attackers?
Threatpost WEBINAR: Save your spot for “15 Cybersecurity Gaffes SMBs Make,” a FREE Threatpost webinar on Feb. 24 at 2 p.m. ET. Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. Register NOW for this LIVE webinar on Wed., Feb. 24.