SolarWinds hackers studied Microsoft source code for customer authentication

SAN FRANCISCO • The hackers behind the worst intrusion of US government agencies in years gained access to Microsoft's secret source code for authenticating customers, one of the biggest vectors used in the attacks.

Microsoft said in a blog post on Thursday that its internal investigation had found that the hackers studied parts of the source code instructions for its Azure cloud programs related to identity and security, its Exchange e-mail programs, and Intune management for mobile devices and applications.

Some of the code was downloaded, the company said, which would have allowed the hackers more freedom to hunt for security vulnerabilities, create copies with new flaws, or examine the logic for ways to exploit customer installations.

Microsoft had said before that the hackers had accessed some source code, but had not indicated which parts, or that any had been copied.

The American authorities said on Wednesday the breaches revealed in December extended to nine federal agencies and 100 private companies, including major technology providers and security firms. They said the Russian government is likely behind the spree, which Moscow has denied.

The hackers - who were initially discovered by security provider FireEye - used advanced skills to insert software back doors for spying into widely used network-management programs distributed by Texas-based SolarWinds Corp.

At the most prized of the thousands of SolarWinds customers exposed last year, the hackers added new Azure identities, added greater rights to existing identities, or otherwise manipulated the Microsoft programs, largely to steal e-mail.

Some hacking also used that method on targets which did not use SolarWinds.

Microsoft previously acknowledged that some of its resellers, who often have continual access to customer systems, had been used in the hacks. It continues to deny that flaws in anything it provides directly have been used as an initial attack vector.

The company said on Thursday it had completed its probe and that it had "found no indications that our systems at Microsoft were used to attack others".

Nevertheless, the problems with identity management have proved so pervasive in the recent attacks that multiple security companies have issued new guidelines and warnings as well tools for detecting misuse.


A version of this article appeared in the print edition of The Straits Times on February 20, 2021, with the headline 'SolarWinds hackers studied Microsoft source code for customer authentication'. Subscribe