The group behind the suspected Russian attack into U.S. government agencies and private companies was able to hack into Microsoft's internal systems and access some of the company's source code, the tech giant said in a blog post on Thursday.
Microsoft had previously said it was among thousands of companies that discovered malware on its systems after downloading a routine software update from the IT company SolarWinds containing a possible "backdoor" for hackers to gain access to sensitive company data.
But the admission Thursday is the first time Microsoft acknowledged the attackers did more than place a tainted software update on its system: hackers successfully broke into the company's systems and viewed source code, the carefully guarded DNA of the company's software products.
Microsoft said after first believing it had blocked the intrusion, some "unusual activity" on a "small number" of employee accounts tripped an alarm. When the company homed in, a startling finding appeared: company source code "in a number of source code repositories" had been accessed by hackers.
Microsoft said the company's source code was not altered by the attackers.
"The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated," the company said.
Dmitri Alperovitch, a cybersecurity expert and chairman of Silverado Policy Accelerator, a Washington-based think tank, said while the breach appears to be a "serious issue" and can potentially make it easier for attackers to uncover additional system flaws at Microsoft, the company's worst fears were not realized.
"This attack was not as bad as it could have been for Microsoft," Alperovitch said. "If they had modified the source code, or used it to introduce new backdoors, since Microsoft has billions of users out there in pretty much every organization around the planet, that would've been a very severe, very grave concern," he said. "But that doesn't appear to be the case."
Still, what the hackers can still do with whatever proprietary data was gathered from Microsoft should keep officials on edge, according to David Kennedy, who runs the Ohio-based company TrustedSec LLC, which investigated the hack.
"We trust the devices that we use. We trust our computers. We trust our phones that we're using on a daily basis. And all of them have source code that runs on the devices," he said. "My hope is that none of this was compromised in the process, but we just don't know at this point."
Many facts remain unknown about how the cyberattackers targeted Microsoft. The company did not say what products the viewed source code was tied to, or how long the hackers were able to stay within its systems.
"Is it Microsoft Cloud Services? Is it their Windows operating system? Is it Microsoft Office? That would be very helpful to know to understand what source code was accessed and what vulnerabilities may be in that source code now," Alperovitch said.
Kennedy offered additional questions.
"Does this impact authentication mechanisms and how usernames and passwords are protected? Are they in the operating system side of the house or future projects? These are key things we need to understand to know how deep this goes," Kennedy said. "The more access they had, the greater potential damage there is in the future."
A Microsoft spokesman declined to comment beyond the company's blog post, which noted that the hackers did not compromise customers' personal data, nor did the intruders harness the information it read to attack others.
Microsoft downplayed the significance of the attackers reading its source code, saying, unlike other tech companies, its employees have an "open source-like culture" to viewing source code within the firm. "So viewing source code isn't tied to elevation of risk," the company said.
That may be true, security expert Kennedy said, but having a group of malicious hackers reading a company's source code at the direction of a foreign government is a completely different matter.
"Those are typically trusted employees within an organization that have access to source code and aren't looking at it from an adversary's perspective," he said. "This can be used later on to launch additional attacks."
Investigators are still probing the far-reaching attack, which has been traced back to October and compromised 18,000 private and government users who inadvertently downloaded a tainted software update from the Texas firm SolarWinds.
U.S. agencies were compromised, including the departments of State, Treasury, Commerce, Energy and Homeland Security.
Officials do not believe the intrusion penetrated any classified information, yet investigators remain concerned that other sensitive data could have been stolen.
But, as expert Alperovitch noted, what exactly the suspected Russian hackers got away with is still a mystery.
"This is just one more shoe to drop," he said. "There will be many more in the coming months. We'll learn about more victims, more data that was taken. So we're just in the very early innings of this investigation."
STEVE INSKEEP, HOST:
We have news today of just how successful a suspected Russian hack was. When news emerged that hackers had penetrated U.S. government agencies and private companies, Microsoft - very important company - said that at least its internal systems had not been penetrated. Now Microsoft says they were. NPR tech reporter Bobby Allyn is covering this. Hey there, Bobby.
BOBBY ALLYN, BYLINE: Good morning.
INSKEEP: How has Microsoft's understanding of things changed?
ALLYN: So quite a bit. And let's back up. So Microsoft has known for some time that it was one of the 18,000 targets hit by this Russian-linked attack. All of them were customers of this Texas I.T. company called Solar Winds. But Microsoft at first wasn't sweating it. The company said, you know, they found and removed some malware that the hackers had placed on their systems and that their problems ended there. But as you mentioned, now Microsoft says that the hackers were able to get in. In fact, they found that the hackers opened up the hood of some Microsoft programs and read some of its proprietary, closely guarded software source code. So that is a big problem.
INSKEEP: That's the essence of what they're selling and what they're producing. So what did the hackers do having obtained that access?
ALLYN: Yeah, so that's not totally clear. It's also not known what software we're even talking about, Steve. Microsoft was pretty vague about it, but that's where the focus is going now. What will the hackers do with this unspecified source code information? Now, keep in mind - right? - Microsoft is on billions of devices all over the world. I mean, it's how major parts of the world communicate and operate systems. We're talking schools, hospitals, government agencies, Fortune 500 companies. So if the suspected Russian state actors now know how Microsoft software is built, that can help them launch future attacks.
INSKEEP: Any chance that this affects the many, many millions of people you just referred to who are using Microsoft products today?
ALLYN: So, yeah, that's certainly possible, right? I mean, Microsoft says the hackers didn't change any source code, and that's pretty important. But the experts I talked to said just reading the sensitive stuff can end up causing real damage. But was the hack on Microsoft cloud services? Was it on, you know, the Windows operating system? Was it on Skype, which Microsoft owns? Investigators are trying to figure this out. And I talked to cybersecurity expert David Kennedy. He runs a security firm in Ohio, and he's been looking into the attack.
DAVID KENNEDY: We trust the devices that we use. We trust our computers. We trust our phones that we're using on a daily basis. And all of them have code that runs on our devices. My hope is that, obviously, none of this was compromised in the process, but we just don't know at this point.
INSKEEP: OK, so we're still waiting to find out a little bit more about how compromised Microsoft was. Can you put this back into the larger context of what was known? Of course, this began with revelations of a hack of U.S. government agencies.
ALLYN: So the suspected Russian hack, you know, compromised more than just Microsoft. We know that, right? The Commerce Department, the State Department, the Department of Homeland Security - experts are calling this the most impressive intelligence-gathering operation in modern history so far. Officials say classified systems were not broken into, but plenty of sensitive information about the federal government and federal employees could have been stolen that wasn't on classified systems. And it takes real time, Steve, you know, to go through these internal computer logs and to try to sort of reverse engineer what these hackers did. So we should expect to hear more news like what we're hearing now from Microsoft. I mean, that's at least what Dmitri Alperovitch told me. He's a Washington-based cybersecurity expert.
DMITRI ALPEROVITCH: This is just one more shoe to drop in this particular case. There'll be many more over the coming months. We're going to learn about more victims, more data that's been taken. So we're still in the very early innings of this investigation.
ALLYN: Early innings for Microsoft, too, so stay tuned because we'll be following this as it keeps unfolding.
INSKEEP: Bobby, thanks.
ALLYN: Thanks, Steve.
INSKEEP: That's NPR's Bobby Allyn. Transcript provided by NPR, Copyright NPR.