SolarWinds hackers accessed Microsoft source code in a number of repositories, the company says
But no changes were made to the code, Microsoft asserts
The hackers behind the SolarWinds security breach were able to access some of Microsoft's source code, although they could not make any changes to it.
In a blog post published on Thursday, Microsoft said that an internal investigation into the incident revealed "unusual activity with a small number of internal accounts". When those accounts were further reviewed, it was found that hackers used one account to view "source code in a number of source code repositories".
"The account did not have permissions to modify any code or engineering systems," Microsoft said, and the investigation confirmed that no changes were made to the code.
The company added that the hackers could not access customer data or production services, and that its machines were not used to launch attacks against other organisations.
In the blog post, Microsoft did not provide details on what type of source code was viewed by the hackers, so it is unclear which software products might be impacted by this security breach.
Cyber security experts believe that even a glance at Microsoft's source code might create opportunities for sophisticated hackers to develop new attacks that are able to compromise other Microsoft products.
However, Microsoft reassured customers that "viewing source code isn't tied to elevation of risk" as the company already has an "open source-like culture" that enables employees to view the source code.
The software giant noted that it does not "rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code".
While Microsoft published its new findings on 31st December, Reuters claimed that the company had known for days that its source code had been accessed during the log-running attack.
A Microsoft spokesman told the news outlet that its security teams have been working "around the clock" and that "when there is actionable information to share, they have published and shared it".
In an earlier blog post, Microsoft acknowledged that it had found compromised SolarWinds code on its systems, but added that the breach did not impact customer data or outward-facing systems.
The company said that it had identified more than 40 customers who were targeted more precisely by attackers and compromised through "additional and sophisticated measures".
Microsoft also claimed it had found evidence suggesting that a different threat actor was also targeting SolarWinds' software through a second piece of malware.
The second backdoor was different from the Sunburst attack, according to Microsoft researchers, raising the possibility that multiple adversaries have been launching parallel attacks to target US federal agencies.
The networking equipment maker Cisco also said last month that nearly two dozen computer systems used by Cisco researchers in the company lab were compromised through SolarWinds-related malware.
US federal officials have attributed the SolarWinds breach to Russia, an allegation that Kremlin has repeatedly denied. While Microsoft did not name Russia in its blog post, it said it is fighting against "a very sophisticated nation-state actor".