(Adds that Microsoft and the Department of Homeland Securitydeclined to comment, link to blog post, Senate hearing)
By Joseph Menn
SAN FRANCISCO, Feb 18 (Reuters) – The hackers behind theworst intrusion of U.S. government agencies in years won accessto Microsoft’s secret source code for authenticatingcustomers, potentially aiding one of their main attack methods.
icrosoft said in a blog post on Thursday that its internalinvestigation had found the hackers studied parts of the sourcecode instructions for its Azure cloud programs related toidentity and security, its Exchange email programs, and Intunemanagement for mobile devices and applications. https://msrc-blog.microsoft.com/2021/02/18/microsoft-internal-solorigate-investigation-final-update/
Some of the code was downloaded, the company said, whichwould have allowed the hackers even more freedom to hunt forsecurity vulnerabilities, create copies with new flaws, orexamine the logic for ways to exploit customer installations.
Microsoft had said before that the hackers had accessed somesource code, but had not said which parts, or that any had beencopied.
U.S. authorities said Wednesday the breaches revealed inDecember extended to nine federal agencies and 100 privatecompanies, including major technology providers and securityfirms. They said the Russian government is likely behind thespree, which Moscow has denied.
Initially discovered by security provider FireEye Inc, the hackers used advanced skills to insert softwareback doors for spying into widely used network-managementprograms distributed by Texas-based SolarWinds Corp.
At the most prized of the thousands of SolarWinds customersthat were exposed last year, the hackers added new Azureidentities, added greater rights to existing identities, orotherwise manipulated the Microsoft programs, largely to stealemail.
Some hacking also used such methods at targets which did notuse SolarWinds. Microsoft previously acknowledged that some ofits resellers, who often have continual access to customersystems, had been used in the hacks. It continues to deny thatflaws in anything it provides directly have been used as aninitial attack vector.
Microsoft declined to answer Reuters’ questions about whichparts of its code had been downloaded or whether what thehackers discovered would have helped them hone techniques.
The company also declined to say whether it was changing anyof its code as a result of the breach.
The Department of Homeland Security did not respond toquestions.
The company said Thursday it had completed its probe andthat it had “found no indications that our systems at Microsoftwere used to attack others.”
Nevertheless, the problems with identity management haveproved so pervasive in the recent attacks that multiple securitycompanies have issued new guidelines and warnings as well toolsfor detecting misuse.
President Joe Biden has promised a response to theSolarWinds hacks, and an inquiry and remediation effort is beingled by his top cybersecurity official, Deputy National SecurityAdvisor Anne Neuberger.
The Senate Intelligence Committee will hold a hearing on thehacks Tuesday with witnesses including Microsoft President BradSmith and FireEye Chief Executive Kevin Mandia.(Reporting by Joseph Menn; Editing by Jonathan Oatis andChristopher Cushing)
Add Comment