December 2020 was a month of tension for several companies, all due to a sophisticated hacker attack on SolarWinds. Among the victims is Microsoft: The company confirmed that the incident gave attackers access to several of its source code repositories.
What is SolarWinds?
But, how did an external attack affect Microsoft? We should start with… the beginning. Unless you are an IT professional, you probably have little or never heard of SolarWinds. If this is the case, know that the company specializes in corporate software. It offers, for example, solutions for database, network management and systems monitoring.
SolarWinds has hundreds of large customers. Considering only the United States, the company provides services to names like Ford, Mastercard, Visa, Procter & Gamble, Yahoo and, as you already know, Microsoft. Among SolarWinds’ customers there are also government agencies.
The attack on SolarWinds
It is not yet clear when the attack began, not least because the action was not carried out in a single moment. What is known is that the first signs of malicious activity were detected in December 2020 and that thousands of companies may have been affected.
Preliminary investigations show that SolarWinds was the victim of an attack on the “supply chain”. The operation would have been carried out from the insertion of a type of Trojan horse on the platform Orion, the centerpiece of the company’s IT management solutions.
Everything indicates that the malware was inserted in official Orion update packages. In other words, these packages were modified at source, that is, they left contaminated on SolarWinds’ servers. There is a suspicion that, to access the platform, hackers also circumvented a two-factor authentication system using an Outlook Web App (OWA) key.
Regardless of the method explored, the fact is that, in a short time, thousands of companies using SolarWinds solutions had their systems compromised by malware that only showed signs of its existence after being deeply infiltrated in them.
Experts investigating the matter even believe that, after the infiltration, the responsible attackers had time to map the attacked networks to find out how far they could go without the malicious activities being detected. It is estimated that the first contaminated packages were distributed in March, but there is still no certainty about this.
Microsoft confirms access to source code
Microsoft was quick to start an investigation. In its most recent statement on the subject, released on the last day of 2020 at the Security Response Center, the company confirmed that the Solorigate, as the incident was dubbed, gave attackers access to several of their internal source code repositories.
Basically, the malware allows the attacker to control user accounts on Orion and, from there, take various actions, Microsoft signals. In the case of the company, the problem was not only more serious because the compromised account was not allowed to modify the codes.
This means that no Microsoft software has been modified due to the attack. “This activity did not jeopardize the security of our services or any customer data,” says an excerpt from the company’s note.
In any case, the investigations continue and must last a long time. The attack on SolarWinds was quite sophisticated and may have affected some 18,000 organizations around the world, including at least 250 federal agencies in the United States.
It is not yet possible to measure the size of the damage or estimate the future consequences. In addition to finding answers to this, authorities and companies investigating the attack try to identify the source of the attack. On the part of the American government, there is a strong suspicion that the action was conducted by the SVR, Russia’s Foreign Intelligence Service.
With information: Business Insider, The Verge.