Investigation revealed attempted activities beyond just the presence of malicious SolarWinds code in Microsoft environment.
During the final weeks’ of 2020 cyber security firm, FireEye announced it had suffered a cyber-attack through a malware inserted into network management software provided to customers by the tech company SolarWinds.
At the time SolarWinds reported, the attackers installed their malware into an upgrade of the company’s Orion product that may have been installed by more than 17,000 customers.
On the 31st of December 2021, Microsoft Security Response Centre (MSRC) reported, an investigation into its “own environment has found no evidence of access to production services or customer data”. The ongoing investigation also found no indications that its systems were used to attack others.
According to MSRC it had detected malicious SolarWinds applications in its environment, which it isolated and removed. Having investigated further, it has not found any further evidence of the common TTPs (tools, techniques, and procedures) related to the abuse of forged SAML tokens against our corporate domains.
However, MSRC’s investigation revealed attempted activities beyond just the presence of malicious SolarWinds code in its environment. This activity has not put at risk the security of our services or any customer data, but we want to be transparent and share what we’re learning as we combat what we believe is a very sophisticated nation-state actor.
“We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories,” stated MSRC. “The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated.”