Connect with us

Hi, what are you looking for?



Microsoft: SolarWinds Hackers Attempted to Access Our Systems Until January 2021

Microsoft said on Thursday that it has completed its internal investigation into the activities conducted by the hackers that breached Texas-based IT management firm SolarWinds.

Microsoft said on Thursday that it has completed its internal investigation into the activities conducted by the hackers that breached Texas-based IT management firm SolarWinds.

The tech giant previously admitted that the hackers had managed to access some internal source code, but said they did not compromise or modify its software.

The company on Thursday confirmed that some source code was accessed, but claimed impact was limited.

“There was no case where all repositories related to any single product or service was accessed. There was no access to the vast majority of source code. For nearly all of code repositories accessed, only a few individual files were viewed as a result of a repository search,” it said.

Microsoft said the attackers apparently first accessed source code in late November, but their attempts did not stop after the breach was discovered and resolved in December. They continued making attempts until January 2021, but none of these attempts were successful.

The company said the attackers downloaded source code from repositories storing “a small subset” of Azure (service, security and identity), Intune, and Exchange components.

Microsoft also determined — based on the search terms used by the hackers — that they were attempting to find “secrets” in the source code they accessed.

“Our development policy prohibits secrets in code and we run automated tools to verify compliance. Because of the detected activity, we immediately initiated a verification process for current and historical branches of the repositories. We have confirmed that the repositories complied and did not contain any live, production credentials,” the company said.

Advertisement. Scroll to continue reading.

Microsoft also reiterated that it had found no evidence that production services or customer data were compromised, or that its own systems were used to attack others.

“Because of our defense-in-depth protections, the actor was also not able to gain access to privileged credentials or leverage the SAML techniques against our corporate domains,” Microsoft said.

Last month, Microsoft released a report detailing the methods and activities of the threat actor behind the SolarWinds attack, including operational security (OPSEC), anti-forensic behavior, and malware delivery methods.

Microsoft and others have claimed that more than 1,000 hackers may have been involved in the SolarWinds attack, but some cybersecurity professionals have questioned the claims.

SolarWinds was apparently targeted by two unrelated threat groups: one linked to Russia that compromised its systems and delivered trojanized updates to thousands of customers, and one linked to China that did not breach SolarWinds systems and instead exploited a zero-day vulnerability and delivered a piece of malware after gaining access to victims’ systems.

SolarWinds released patches in response to both attacks, but many of its customers have failed to secure their systems, according to a report from risk assessment firm RiskRecon.

Related: White House Names SolarWinds Response Leader Amid Criticism

Related: Hundreds of Industrial Organizations Received Sunburst Malware in SolarWinds Attack

Related: More Cybersecurity Firms Confirm Being Hit by SolarWinds Hack

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...