Source code – the underlying set of instructions that run a piece of software or operating system – is typically among a technology company’s most closely guarded secrets and Microsoft has historically been particularly careful about protecting it.
Even though the company admitted that they were able to view some of the source code, Microsoft stated that the hackers were not able to change it.
The tech giant also risk assessed the intrusion, noting that its software development relies on code sharing within the company, a practice called “inner source.”
In a blog post, the company said its investigation had turned up irregularities with a “small number of internal accounts” and that one of the accounts “had been used to view source code in a number of source code repositories.”
Microsoft said the account did not have the ability to monitor any Microsoft code. The blog post further added it has found no evidence of access to production services or customer data. “The investigation, which is ongoing, has also found no indications that our systems were used to attack others,” it said.
The hack began as early as March when malicious code was snuck into updates to SolarWinds software that monitors computer networks.
Microsoft helped respond to the breach with cybersecurity firm FireEye, which discovered the hack when the security firm itself was targeted.
Microsoft had already disclosed that like other firms it found malicious versions of SolarWinds’ software inside its network, but the source code disclosure – made in a blog post – is new.
The SolarWinds hack is among the most ambitious cyber operation ever disclosed, compromising at least half-a-dozen federal agencies and potentially thousands of companies and other institutions.
U.S. and private-sector investigators have spent the holidays combing through logs to try to understand whether their data has been stolen or modified.
According to a Seattle Times report, cybersecurity experts and US officials suspect Russia was behind the hack.
Microsoft said earlier this month that it identified more than 40 government agencies, think tanks, non-governmental organisations and IT companies infiltrated by the hackers. Russia has denied that it is to blame.
