Microsoft, in an internal solorigate investigation update, said it found no evidence of access to production services or customer data and that there were no indications that the company’s systems were used to attack others. The ongoing investigation discovered that one account was used to view source code in a number of source code repositories.
In 2020, a major cyberattack by a group, backed by a foreign government, penetrated multiple parts of United States federal government, leading to a data breach. The hacking group, Cozy Bear, backed by the Russian intelligence agency SVR, was reportedly identified as the cyberattackers.
The attack, which had gone undetected for months, was first publicly reported on December 13, 2020, and was initially only known to have affected the U.S. Treasury Department and the National Telecommunications and Information Administration. In the following days, more departments and private organizations reported breaches.
The cyberattack that led to the federal breaches began no later than March 2020. The attackers exploited software from at least three U.S. firms: Microsoft, SolarWinds, and Vmware.
Microsoft Thursday said it found no evidence of the common TTPs or tools, techniques and procedures related to the abuse of forged SAML tokens against its corporate domains.
Microsoft said it detected unusual activity with a small number of internal accounts and upon review, it discovered one account had been used to view source code in a number of source code repositories. But, the account did not have permissions to modify any code or engineering systems and its investigation further confirmed no changes were made. These accounts were investigated and remediated.
Previously, Microsoft had detected malicious SolarWinds applications in its environment, which it isolated and removed.