Microsoft: SolarWinds Attackers Downloaded Azure, Exchange Code

However, internal products and systems were not leveraged to attack others during the massive supply-chain incident, the tech giant said upon completion of its Solorigate investigation.

Threat actors downloaded some Microsoft Exchange and Azure code repositories during the sprawling SolarWinds supply-chain attack but did not use the company’s internal systems or products to attack other victims.

That’s the final verdict this week by the tech giant now that it’s completed a comprehensive investigation into the attack, which was discovered in December and continues to have repercussions across the industry.

“We have now completed our internal investigation into the activity of the actor … which confirms that we found no evidence of access to production services or customer data,” the company said in a blog post on its Microsoft Security Response Center published Thursday. “The investigation also found no indications that our systems at Microsoft were used to attack others.”

Threatpost Webinar February Promo

Click to Register

Texas-based SolarWinds was the primary victim of the now-infamous cyberattack believed to be the work of Russian state-sponsored actors. During the attack, adversaries used SolarWinds’ Orion network management platform to infect users with a stealth backdoor called “Sunburst” or “Solorigate,” which opened the way for lateral movement to other parts of a network.

The backdoor was pushed out via trojanized product updates to almost 18,000 organizations around the globe—including high-profile victims such as the U.S. Department of Homeland Security (DHS) and the Treasury and Commerce departments—starting last spring. Once embedded, the attackers were able to pick and choose which organizations to further penetrate.

Microsoft came out as one of those victims in December, acknowledging that malicious SolarWinds binaries were detected in its environment, which the company immediately isolated and removed, a spokesperson said at the time. Microsoft subsequently began its investigation into the situation following its initial detection of unusual activity.

“Our analysis shows the first viewing of a file in a source repository was in late November and ended when we secured the affected accounts,” the company said in the post. “We continued to see unsuccessful attempts at access by the actor into early January 2021, when the attempts stopped.”

Despite its quick response, there was some fallout from the attack. Threat actors apparently accessed and downloaded source code from a “small number of repositories,” Microsoft said.

These repositories contained code for: A small subset of Azure components including those related to service, security and identity; a small subset of Intune components; and a small subset of Exchange components. However, because of internal protections in place, the repositories did not contain “any live, production credentials,” according to the company.

“The search terms used by the actor indicate the expected focus on attempting to find secrets,” according to Microsoft. “Our development policy prohibits secrets in code and we run automated tools to verify compliance. Because of the detected activity, we immediately initiated a verification process for current and historical branches of the repositories.”

Ultimately, Microsoft’s existing “in-depth protections” prevented the threat actor from gaining access to privileged credentials or leveraging the techniques used in the attack against its corporate domains, the company concluded.

Further Reading:

Is your small- to medium-sized business an easy mark for attackers? 

Threatpost WEBINAR: Save your spot for 15 Cybersecurity Gaffes SMBs Make,” a  FREE Threatpost webinar on Feb. 24 at 2 p.m. ET. Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. Register NOW for this LIVE webinar on Wed., Feb. 24.

Suggested articles