Microsoft, however, did not specify what type of source code was accessed. The intruder compromised an employee account through which it viewed the code, the firm said.
“We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories,” the firm said in a blog post.
Microsoft disclosed two weeks ago that it detected malicious software in its system, a reference to a software patch from the firm SolarWinds that the Russians had manipulated to gain potential access to victims.
U.S. government officials have said that merely downloading a software update does not constitute a hack, but there can be no doubt that gaining access to source code does.
The latest development places Microsoft, one of the world’s largest cloud and software firms, among the victims of not just any breach but one of the most high-profile cyberespionage campaigns in recent years.
The Fortune 500 company now joins at least five major U.S. government agencies — Treasury, State, Commerce, Homeland Security and the National Institutes of Health, as well as a leading cybersecurity firm, FireEye — on the Russians’ hit list.
Secretary of State Mike Pompeo has publicly accused the Russians of carrying out the intrusions. President Trump, who has consistently accepted Moscow’s denials of malign cyberactivity directed against the United States, sought to deflect blame from Russia, baselessly suggesting China might be the culprit. Privately, U.S. officials say they believe the SVR, or Moscow’s foreign intelligence service, is behind the operation.
The hackers did not have permissions to modify any code or engineering systems, Microsoft said, adding “our investigation further confirmed no changes were made. These accounts were investigated and remediated.”
The Redmond, Wash.-based company said it has found no evidence of access to production services or customer data. It said its investigation also found no indications that its systems have been used to attack others.
However, some of its cloud customers have been breached through a third-party partner that handles the firm’s cloud-access services, The Washington Post reported last week.
Microsoft has said it was the first to alert several U.S. government agencies in recent weeks to the fact they had been compromised.
Though the company is emphasizing that the intrusion has not put at risk the security of its services or customer data, some experts say that access to the source code — even if just for viewing purposes — could potentially allow the hackers to conduct malicious acts.
“Intruders can search the source code for software flaws that they might exploit, adding new weapons to their cyberwarfare arsenal,” said Mike Chapple, teaching professor of information technology at the University of Notre Dame and a former computer scientist with the National Security Agency.
“Having access to the source code gives the hackers the blueprint to how the software was created and makes it easier . . . for them to uncover new vulnerabilities,” said Chapple, who left the NSA in 2001. “Hackers can always attempt to reverse engineer software vulnerabilities, but having the source code provides them with a short cut,” he said.
Microsoft and the U.S. government are continuing their investigations of the breaches, a task that is likely to take months. The probe is now the top priority for Gen. Paul Nakasone, who heads both the NSA and the Pentagon’s U.S. Cyber Command, according to U.S. officials who like others spoke on the condition of anonymity to discuss the investigation.
U.S. government and private-sector sources say the total number of victims — of agencies and companies that have seen data stolen — is likely to be at most in the low hundreds, not in the thousands as previously feared. One person familiar with the issue said the best estimate now is about 300, though that figure could change as the probe continues.
But that is still a significant number, officials said, and the compromise of even a handful of major agencies, depending on the data stolen, could be hugely damaging.