Microsoft has revealed that whoever was behind the SolarWinds cyberattack managed to view source code repositories for some of its products.
The company, however, was quick to downplay the significance of the compromise, providing two main reasons why the criminals can do little with the material accessed.
For one, the accounts were view-only, so the attackers could not have altered the code in any way. Second, Microsoft explained that its programmers work on the basis that all insiders can see the source code anyway.
“At Microsoft, we have an inner source approach – the use of open source software development best practices and an open source-like culture – to making source code viewable within Microsoft,” the company said.
“This means we do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code. So viewing source code isn’t tied to elevation of risk.”
This is not the first time Microsoft source code has been leaked and the company had always held the same stance.
Late last year, cybersecurity experts from FireEye spotted malware spreading through a compromised patch for SolarWinds’ Orion product. It was later uncovered that criminals created a foothold in the SolarWinds network through compromised Office 365 accounts and were able to embed malicious code into an upcoming Orion patch.
The patch was distributed to hundreds of thousands of Orion users, 18,000 of which were compromised. Among them, besides Microsoft, were also US government agencies.
A patch has already been deployed to completely remove any traces of the malicious code, but the high-profile nature of the incident means it has been dubbed as one of the most significant of 2020.