In a blog post, Microsoft has released some further details of their investigation in the Solarwinds incident, which saw 18,000 companies, including Microsoft, hacked by what appears to be a sophisticated state actor.
In the post, Microsoft insists that they found no evidence of access to production services or customer data. They also found no indications that their systems were used to attack others.
Microsoft did detect malicious SolarWinds applications in their environment, which they isolated and removed. They did not, however, find any evidence of the common TTPs (tools, techniques and procedures) related to the abuse of forged SAML tokens against their corporate domains.
They did however find attempted activities beyond just the presence of malicious SolarWinds code in their environment.
Specifically, there was unusual activity with a small number of internal accounts one account had been used to view source code in a number of source code repositories. The account did not have permissions to modify any code or engineering systems and Microsoft found no changes were made.
Microsoft says there is no evidence that this activity placed the security of Microsoft’s services or any customer data at risk.
Microsoft says viewing source code does not increase risk, as the company does not rely on the secrecy of source code for the security of products.
They also found evidence of attempted activities which were thwarted by Microsoft’s protections.
Microsoft says their investigation is ongoing and will post updates if more information becomes available at aka.ms/solorigate.