Microsoft Says It Was Hacked in SolarWinds Cyberattack

December 31, 2020 Updated: December 31, 2020

Microsoft confirmed that hackers behind a widespread attack on SolarWinds—used by federal government agencies—also breached its systems.

The hackers were able to access internal Microsoft systems and viewed source code used to create software products, the Redmond, Washington-based firm said on Thursday.

“We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories,” the company wrote in a post on its website. “The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated.”

According to Microsoft, the hackers were not able to access customer data or Microsoft production services. Microsoft didn’t say what internal systems or products were affected by the breach.

“The investigation, which is ongoing, has also found no indications that our systems were used to attack others,” the firm also said. “As we previously reported, we detected malicious SolarWinds applications in our environment, which we isolated and removed. Having investigated further, we can now report that we have not found evidence of the common TTPs (tools, techniques and procedures) related to the abuse of forged SAML tokens against our corporate domains.”

The SolarWinds cyberattack dates back to 2019 and prompted a series of investigations among federal government agencies and private firms. The Treasury Department and Department of Commerce first alerted others to the attack several weeks ago before SolarWinds confirmed that the hackers were able to target its Orion update.

Some private and government officials have linked the cyberattack to Russia, while the Kremlin has denied any involvement.

“This is a developing situation, and while we continue to work to understand the full extent of this campaign, we know this compromise has affected networks within the federal government,” the Office of the Director of National Intelligence said in a joint statement with the FBI with the Department of Homeland Security (DHS) about two weeks ago.

The statement continued by saying, “As the lead for threat response, the FBI is investigating and gathering intelligence in order to attribute, pursue, and disrupt the responsible threat actors. The FBI is engaging with known and suspected victims and information gained through FBI’s efforts will provide indicators to network defenders and intelligence to our government partners to enable further action.”

The DHS’s cybersecurity agency, meanwhile, said on Dec. 30 that it is updating its guidance on how to handle the breach.

“Specifically, all federal agencies operating versions of the SolarWinds Orion platform other than those identified as ‘affected versions’ below are required to use at least SolarWinds Orion Platform version 2020.2.1HF2. The National Security Agency (NSA) has examined this version and verified that it eliminates the previously identified malicious code,” the agency stated.