Microsoft has posted its final report on the massive SolarWinds cyberattack, providing some additional details regarding its findings and involvement. The report confirms that the attackers managed to access code repositories for several Microsoft products, including access to product source code.
Although an attacker accessing source code sounds worrying, Microsoft's report stressed that the repositories accessed didn't contain any "live, production credentials."
Microsoft Releases Final SolarWinds Report
Microsoft's final SolarWinds report is available to read on the Microsoft Security Response Center blog.
There are a few key takeaways from the latest report to address SolarWinds.
First, Microsoft "found no indications that our systems at Microsoft were used to attack others."
While this might seem like a standard response, Microsoft and SolarWinds (the company whose Orion software was the launchpad for the attack) have argued continuously about which company was breached first in the supply-chain hack.
Second, Microsoft's report confirms that the attackers did access several repositories containing source code for Microsoft products.
There was no case where all repositories related to any single product or service was accessed. There was no access to the vast majority of source code. For nearly all of code repositories accessed, only a few individual files were viewed as a result of a repository search.
The report went on to detail some of the repositories the attackers gained additional access to:
- a small subset of Azure components (subsets of service, security, identity)
- a small subset of Intune components
- a small subset of Exchange components
Within those repositories, the attackers were trying to "find secrets," be that vulnerabilities, backdoors, or data. Microsoft doesn't work with secrets in its publishable code, so there was nothing to find. However, due to the scale of the breach and range of targets, Microsoft ran a full verification of its codebase.
What Microsoft Learned from SolarWinds
For Microsoft and most other tech and security companies involved in the SolarWinds cyberattack, the biggest lesson is that such enormous attacks can happen, seemingly without warning, from an attacker lurking silently out of sight for a long period.
A sufficiently advanced threat, such as a nation-state threat actor, can pile resources into an operation of the scale, penetrating multiple tech companies and many US government departments.
Even though Microsoft established what it thought the SolarWinds attacker's actual target was, the attack was so broad that we might never truly understand how much data was stolen or how it will be used in the future.