Microsoft experts announced that they have completed an official investigation of the attack, and told what exactly SolarWinds hackers were able to steal. The company reiterated that it was found no evidence that outsiders could somehow abuse Microsoft systems or use its products to attack customers.
Let me remind you that Microsoft acknowledged the fact of compromise back in December 2020, when it became clear that the company was using versions of the Orion platform, manufactured by SolarWinds and infected by cybercriminals. This allowed hackers to gain access to some source codes.
When hackers were disabled, they continued to try to log into the company’s systems throughout December and even in early January 2021. That is, the activity of the attackers continued even several weeks after the SolarWinds hack became known, and even after Microsoft officially announced that it was investigating the incident.
The company assures that hackers did not get access to all repositories of any particular product or service, and also did not get to the bulk of the source code. Instead, according to the manufacturer, the attackers were able to view “only a few individual files […] as a result of searching the repository.”
Moreover, judging by the search queries, the hackers were not interested in the source code itself, but looked for API keys, credentials, and tokens that would help them penetrate other Microsoft systems. However, these attempts were unsuccessful, as the company’s development policy prohibits the use of secrets in the code, and for this, regular automated checks are carried out.
In the end, the attackers still managed to steal the source code, but these were only the source code for several components associated with the company’s cloud products. Thus, the compromised repositories contained:
- a small portion of Azure components;
- a small portion of Intune components.
- a small part of Exchange components.
Microsoft representatives summarize that this leak will not affect the company’s products in any way, and the incident did not allow hackers to gain wide access to user data.