Microsoft says based on their investigation, more than 1,000 enemy engineers have worked on the attack.
“When we analyzed everything that we saw at Microsoft, we asked ourselves how many engineers have probably worked on these attacks. And the answer we came to was, well, certainly more than 1,000,” Microsoft president Brad Smith said.
Microsoft had earlier admitted that hackers have entered their system, and was able to view the source code of some products, but denied hackers were able to use Microsoft’s resources to attack and infect others.
“The investigation also found no indications that our systems at Microsoft were used to attack others. Because of our defense-in-depth protections, the actor was also not able to gain access to privileged credentials or leverage the SAML techniques against our corporate domains,” said the MSRC Team.
Microsoft revealed which products the hackers were targeting.
These repositories contained code for:
- a small subset of Azure components (subsets of service, security, identity)
- a small subset of Intune components
- a small subset of Exchange components
Microsoft says the hackers were trying to find secrets in the code but noted that their development policy prohibits secrets in the code. Microsoft was able to verify that the repositories viewed did not contain any live, production credentials.
Microsoft says the attacks have reinforced two key learnings that they wanted to emphasize —embracing a Zero Trust mindset and protecting privileged credentials.
A Zero Trust, “assume breach” philosophy explicitly verifies the security status of identity, endpoint, network, and other resources based on all available signals and data. Microsoft recently shared guidance for using Zero Trust principles to protect against sophisticated attacks like Solorigate.
Protecting credentials is also essential. In deployments that connect on-premises infrastructure to the cloud, organizations can delegate trust to on-premises components. This creates an additional seam that organizations need to secure. A consequence of this decision is that if the on-premises environment is compromised, this creates opportunities for attackers to target cloud services. Microsoft strongly recommends mastering identity in the Cloud, as described in protecting your M365 cloud services from on-premise attacks.
You can read all the lessons learnt at Microsoft here.