Microsoft now says suspected Russian hackers behind a massive campaign that impacted government agencies, local municipalities and companies were also able to view some of the company’s source code.
In a blog post Microsoft says the unauthorized access “has not put at risk the security of our services or any customer data.”
While Microsoft points to “a very sophisticated nation-state actor” as the culprit, the US government and cybersecurity officials have implicated Russia as the architects of the overall SolarWinds attack. The attack exposed an extensive list of sensitive organizations, and today’s disclosure from Microsoft shows we’ll still be unraveling the attack’s implications for weeks and months to come.
Fortunately, Microsoft says that while hackers went deeper than previously known, it found “no evidence of access to production services or customer data,” and “no indications that our systems were used to attack others.” Additionally, the company says that it regularly assumes adversaries are able to view its source code, and does not rely on the secrecy of source code to keep its products secure. Microsoft did not disclose how much code was viewed or what the exposed code is used for.
Earlier this month, Microsoft President Brad Smith said the attack was a “moment of reckoning” and warned about its danger. “This is not ‘espionage as usual,’ Smith said. “In effect, this is not just an attack on specific targets, but on the trust and reliability of the world’s critical infrastructure in order to advance one nation’s intelligence agency.”
