What lessons can we learn within the SolarWinds aftermath?
Microsoft has posted its final report on the vast SolarWinds cyberattack, providing additional details regarding its findings and involvement. The report confirms that the attackers managed to access code repositories for several Microsoft products, including access to product ASCII text files.
Although an attacker accessing the ASCII text file sounds worrying, Microsoft’s report stressed that the repositories accessed didn’t contain any “live, production credentials.”
Microsoft Releases Final SolarWinds Report
Microsoft’s final SolarWinds report is out there to read on the Microsoft Security Response Center blog.
There are a couple of key takeaways from the newest report back to address SolarWinds.
First, Microsoft “found no indications that our systems at Microsoft were wont to attack others.”
While this might sound sort of a standard response, Microsoft and SolarWinds (the company whose Orion software was the launchpad for the attack) have argued continuously about which company was breached first within the supply-chain hack.
Second, Microsoft’s report confirms that the attackers did access several repositories containing ASCII text files for Microsoft products.
There was no case where all repositories associated with any single product or service were accessed. There was no access to the overwhelming majority of ASCII text files. For nearly all of the code repositories accessed, only a couple of individual files were viewed as a result of a repository search.
The report went on to detail a number of the repositories the attackers gained additional access to:
- a small subset of Azure components (subsets of service, security, identity)
- a small subset of Intune components
- a small subset of Exchange components
Within those repositories, the attackers were trying to “find secrets,” vulnerabilities, backdoors, or data. Microsoft doesn’t work with secrets in its publishable code, so there was nothing to seek out. However, thanks to the size of the breach and range of targets, Microsoft ran a full verification of its codebase.
What Microsoft Learned from SolarWinds
For Microsoft and most other tech and security companies involved in the SolarWinds cyberattack, the most important lesson is that such enormous attacks can happen, seemingly all of sudden, from an attacker lurking silently out of sight for an extended period.
Like a nation-state threat actor, a sufficiently advanced threat can pile resources into an operation of the size, penetrating multiple tech companies and lots of United States government departments.
Even though Microsoft established what it thought the SolarWinds attacker’s actual target was, the attack was so broad that we’d never truly understood what proportion of data was stolen or how it’ll be utilized in the longer term.