Microsoft had previously acknowledged using the IT management software, SolarWinds Orion, that gave the attackers a potential window into thousands of public and private sector organizations. But this marks the first time Microsoft has confirmed that the attackers exploited the vulnerability against the technology giant.
Mike Chapple, a former National Security Agency official and an information technology professor at the University of Notre Dame, said the attackers were likely looking for potential security vulnerabilities in Microsoft products that they could exploit to gain access to users of those products.
“Cybersecurity professionals now need to be concerned that this information falling into the wrong hands might create the next SolarWinds-level vulnerability in a Microsoft product,” Chapple said.
But Microsoft said its security practices begin by preemptively assuming that hackers already have access to the company’s source code, and protects its services accordingly.
“We do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code,” the company said. “So viewing source code isn’t tied to elevation of risk.”
This content was originally published here.