The hackers behind the worst intrusion of US government agencies in years won access to Microsoft’s secret source code for authenticating customers, one of the biggest vectors used in the attacks.
Microsoft said in a blog post on Thursday that its internal investigation had found that the hackers studied parts of the source code instructions for its Azure cloud programs related to identity and security, its Exchange email programs, and Intune management for mobile devices and applications.
Some of the code was downloaded, the company said, which would have allowed the hackers more freedom to hunt for security vulnerabilities, create copies with new flaws, or examine the logic for ways to exploit customer installations.
Microsoft had said before that the hackers had accessed some source code, but had not said which parts, or that any had been copied.
US authorities said Wednesday the breaches revealed in December extended to nine federal agencies and 100 private companies, including major technology providers and security firms. They said the Russian government is likely behind the spree, which Moscow has denied.
Initially discovered by security provider FireEye, the hackers used advanced skills to insert software back doors for spying into widely used network-management programs distributed by Texas-based SolarWinds.
At the most prized of the thousands of SolarWinds customers were exposed last year, the hackers added new Azure identities, added greater rights to existing identities, or otherwise manipulated the Microsoft programs, largely to steal email. Some hacking also used that method on targets which did not use SolarWinds.
Microsoft previously acknowledged that some of its resellers, who often have continual access to customer systems, had been used in the hacks. It continues to deny that flaws in anything it provides directly have been used as an initial attack vector.
The company said Thursday it had completed its probe and that it had “found no indications that our systems at Microsoft were used to attack others.”
Nevertheless, the problems with identity management have proved so pervasive in the recent attacks that multiple security companies have issued new guidelines and warnings as well tools for detecting misuse.