Microsoft Corp.’s Security Response Center today concluded its internal investigation into the SolarWinds Worldwide LLC breach, finding that although some source code was downloaded, there was no evidence hackers had abused internal systems or products to attack its users.

Reports that Microsoft had been a possible victim of the SolarWinds hack first emerged Dec. 17 with the suggestion that the hackers had breached the company and then used Microsoft’s products in follow-on attacks against others. The report was denied by Microsoft President Brad Smith at the time, but to the company’s credit it then launched a full internal investigation into anything to do with SolarWinds and the hackers involved.

Microsoft’s researchers found was that there was no case where all repositories related to any single product or service were accessed and no access was gained to the vast majority of source code. In the event where code repositories were accessed, only a few individual files were viewed.

For a small number of repositories, there was additional access including in some cases the downloading of component source code. The repositories contained code for a small subset of Azure, Intune and Exchange components.

The researchers notes that search terms used by the hackers indicate that they were attempting to find secrets but were not successful as Microsoft’s development policy prohibits secrets in code, using automated tools to verify compliance.

In terms of Microsoft tools being used to attack others, the researchers found no indication of that taking place. They further added that because of so-called defense-in-depth protections, the hackers were also not able to gain access to privileged credentials.

To avoid attacks in the future, the researchers recommended that a zero-trust “assume breach” philosophy be adopted as a critical part of defense as well as protecting credentials being essential.

“Microsoft closing their investigation today marks the first step in the process of the security community recovering from the Solorigate attack,” Kevin Dunne, president at integrated risk management solutions provider Greenlight Technologies Inc., told SiliconANGLE. “This attack highlighted the need to reconsider trust at all levels of the security supply chain — even in terms of trusting updates from long-tenured, legitimate suppliers.”

Oliver Tavakoli, chief technology officer at artificial intelligence cybersecurity company Vectra AI Inc., said the adoption of a zero-trust architecture was something that had already been accelerating during the pandemic and the new normal of working from home. “Microsoft points out that organizations should go one step further by adopting it as a ‘mindset’ – accept that all of the initial lines of defense can fail and that security controls need to be layered across all systems critical to an organization,” he added.

Dirk Schrader, global vice president at cybersecurity and compliance software firm New Net Technologies Ltd., disagreed, however, saying that a zero-trust plan seems like a good idea at first sight but is misleading here.

“The Solorigate incident isn’t about a user who should not be trusted, it is about the sourcing itself and for this scenario, the user and the IT administration will be overwhelmed at the end,” Schrader explained. “At some stag, trust needs to be established to be operational and with thousands of changes incurred to files and settings when rolling out a Microsoft patch day update, the IT administration would certainly not want to check each and every change.”

Photo: Pixahive