Microsoft said Thursday that some of its internal source code — the digital blueprints used to build its products — was accessed in the colossal SolarWinds hack being widely blamed on Russia.
An ongoing investigation into the SolarWinds hack resulted in Microsoft finding evidence its source code was seen during the course of the campaign being carried out, the company explained.
“We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories,” Microsoft said in a blog post.
The account that was used to view the source code was unable to make any changes, and the incident “has not put at risk the security of our services or any customer data,” Microsoft added.
“At Microsoft, we have an inner source approach — the use of open source software development best practices and an open source-like culture — to making source code viewable within Microsoft,” the post said in part. “This means we do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code. So viewing source code isn’t tied to elevation of risk.”
SolarWinds, an IT management company based in Texas to hundreds of government and corporate clients, was reportedly breached as far back as 2019, but the intrusion only became apparent this month.
Once inside SolarWinds, the culprit modified software distributed by the company to its clients, in turn causing for some of those customers, including federal agencies, to be infiltrated as well.
Microsoft said it found no evidence any customer data was accessed in the hack or any indication its systems were used to attack others. It previously said at least 40 of its clients were affected.
Several members of the Trump administration have said Russia seems likely responsible for the attack, including Secretary of State Michael R. Pompeo. President Trump has said he is unsure, however.
Russia has denied responsibility.
• Andrew Blake can be reached at ablake@washingtontimes.com.
Please read our comment policy before commenting.