According to Microsoft, suspected Russian hackers behind several US government agencies’ breach also got access to the company’s internal source code. It is really stunning as no customer data or services were compromised.
In a Thursday blog, post-Microsoft updated its continuing investigation of the strike. It said, “We detected unusual activity with a small number of internal accounts, and upon review, we discovered one account had been used to view source code in several source code repositories. The account did not have permissions to modify any code or engineering systems, and our investigation further confirmed no changes were made.”
An official of Microsoft turns down to say which source code was viewed by the hackers. Source code tells the way computer programs work and are used to build products. Getting access to source code could provide hackers with useful insights to exploit programs or dodge detection. Microsoft added that its security theme or threat model foresees that its source code will be accessed and defences are built with that in view.
Previously, Microsoft told that even it got any malicious update of the software from IT provider SolarWinds Corp, which was used to infringe government agencies and firms worldwide. Still, it is unknown how many organizations were victimized and what hackers got from the breach. In December, according to a Bloomberg report, investigators found that about 200 organizations were stroke in the breach campaign.
Microsoft says, the hackers made no use of the SolarWind update to access the internal account, however, rejected to give details on exactly how the hackers gained access successfully. In the given blog post, the company made no mention which code repositories were viewed. Nor it provided any detail that for how long the hackers were inside the company’s network. However, it reiterated that no indication of its system could be used to breach others.
Moreover, the company said, “This activity has not put at risk the security of our services or any customer data, but we want to be transparent and share what we’re learning as we combat what we believe is a very sophisticated nation-state actor.”