Skip to main content

SolarWinds hackers found to have accessed Microsoft source code

security
(Image credit: Shutterstock / Khakimullin Aleksandr)

Microsoft has revealed that whoever was behind the SolarWinds cyberattack managed to view source code repositories for some of its products.

The company, however, was quick to downplay the significance of the compromise, providing two main reasons why the criminals can do little with the material accessed.

For one, the accounts were view-only, so the attackers could not have altered the code in any way. Second, Microsoft explained that its programmers work on the basis that all insiders can see the source code anyway.

"At Microsoft, we have an inner source approach – the use of open source software development best practices and an open source-like culture – to making source code viewable within Microsoft," the company said.

"This means we do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code. So viewing source code isn't tied to elevation of risk."

This is not the first time Microsoft source code has been leaked and the company had always held the same stance.

Late last year, cybersecurity experts from FireEye spotted malware spreading through a compromised patch for SolarWinds' Orion product. It was later uncovered that criminals created a foothold in the SolarWinds network through compromised Office 365 accounts and were able to embed malicious code into an upcoming Orion patch.

The patch was distributed to hundreds of thousands of Orion users, 18,000 of which (opens in new tab) were compromised. Among them, besides Microsoft, were also US government agencies (opens in new tab).

A patch has already been deployed to completely remove any traces of the malicious code, but the high-profile nature of the incident means it has been dubbed as one of the most significant of 2020.

Sead Fadilpašić is a freelance tech writer and journalist with more than 17 years experience writing technology-focussed news, blogs, whitepapers, reviews, and ebooks. And his work has featured in online media outlets from all over the world, including Al Jazeera Balkans (where he was a Multimedia Journalist), Crypto News, TechRadar Pro, and IT Pro Portal, where he has written news and features for over five years. Sead's experience also includes writing for inbound marketing, where he creates technology-based content for clients from London to Singapore. Sead is a HubSpot-certified content creator.