عربي English Türkçe اردو فارسى
Logo
Latest News
Technology

SolarWinds Hackers Accessed Microsoft Source Code, the Company Says

The Microsoft logo is pictured ahead of the Mobile World Congress in Barcelona, Spain February 24, 2019. (Reuters)
The Microsoft logo is pictured ahead of the Mobile World Congress in Barcelona, Spain February 24, 2019. (Reuters)
TT
20
TT

SolarWinds Hackers Accessed Microsoft Source Code, the Company Says

The Microsoft logo is pictured ahead of the Mobile World Congress in Barcelona, Spain February 24, 2019. (Reuters)
The Microsoft logo is pictured ahead of the Mobile World Congress in Barcelona, Spain February 24, 2019. (Reuters)

The hacking group behind the SolarWinds compromise was able to break into Microsoft Corp and access some of its source code, Microsoft said on Thursday, something experts said sent a worrying signal about the spies’ ambition.

Source code - the underlying set of instructions that run a piece of software or operating system - is typically among a technology company’s most closely guarded secrets and Microsoft has historically been particularly careful about protecting it.

It is not clear how much or what parts of Microsoft’s source code repositories the hackers were able to access, but the disclosure suggests that the hackers who used software company SolarWinds as a springboard to break into sensitive US government networks also had an interest in discovering the inner workings of Microsoft products as well.

Microsoft had already disclosed that like other firms it found malicious versions of SolarWinds’ software inside its network, but the source code disclosure - made in a blog post - is new. After Reuters reported it was breached two weeks ago, Microsoft said it had not “found any evidence of access to production services.”

Three people briefed on the matter said Microsoft had known for days that the source code had been accessed. A Microsoft spokesman said security employees had been working “around the clock” and that “when there is actionable information to share, they have published and shared it.”

The SolarWinds hack is among the most ambitious cyber operations ever disclosed, compromising at least half-a-dozen federal agencies and potentially thousands of companies and other institutions. US and private sector investigators have spent the holidays combing through logs to try to understand whether their data has been stolen or modified.

Modifying source code - which Microsoft said the hackers did not do - could have potentially disastrous consequences given the ubiquity of Microsoft products, which include the Office productivity suite and the Windows operating system. But experts said that even just being able to review the code could offer hackers insight that might help them subvert Microsoft products or services.

“The source code is the architectural blueprint of how the software is built,” said Andrew Fife of Israel-based Cycode, a source code protection company.

“If you have the blueprint, it’s far easier to engineer attacks.”

Matt Tait, an independent cybersecurity researcher, agreed that the source code could be used as a roadmap to help hack Microsoft products, but he also cautioned that elements of the company’s source code were already widely shared - for example with foreign governments. He said he doubted that Microsoft had made the common mistake of leaving cryptographic keys or passwords in the code.

“It’s not going to affect the security of their customers, at least not substantially,” Tait said.

Microsoft noted that it allows broad internal access to its code, and former employees agreed that it is more open than other companies.

In its blog post, Microsoft said it had found no evidence of access “to production services or customer data.”

“The investigation, which is ongoing, has also found no indications that our systems were used to attack others,” it said.

Reuters reported a week ago that Microsoft-authorized resellers were hacked and their access to productivity programs inside targets leveraged in attempts to read email. Microsoft acknowledged some vendor access was misused but has not said how many resellers or customers may have been breached.

There was no response to requests for comment from the FBI, which is investigating the hacking campaign, or from the Department of Homeland Security’s Cybsersecurity and Infrastructure Security Agency.

US officials have attributed the SolarWinds hacking campaign to Russia, an allegation the Kremlin denies.

Both Tait and Ronen Slavin, Cycode’s chief technology officer, said a key unanswered question was which source code repositories were accessed. Microsoft has a huge range of products, from widely used Windows to lesser known software such as social networking app Yammer and the design app Sway.

Slavin said he was worried by the possibility that the SolarWinds hackers were poring over Microsoft’s source code as prelude to a much more ambitious offensive.

“To me the biggest question is, ‘Was this recon for the next big operation?’” he said.

Most Viewed

 
Technology

Justice at Stake as Generative AI Enters the Courtroom

Generative artificial intelligence has been used in the US legal system by judges performing research, lawyers filing appeals and parties involved in cases who wanted help expressing themselves in court. Jefferson Siegel / POOL/AFP
Generative artificial intelligence has been used in the US legal system by judges performing research, lawyers filing appeals and parties involved in cases who wanted help expressing themselves in court. Jefferson Siegel / POOL/AFP
TT
20
TT

Justice at Stake as Generative AI Enters the Courtroom

Generative artificial intelligence has been used in the US legal system by judges performing research, lawyers filing appeals and parties involved in cases who wanted help expressing themselves in court. Jefferson Siegel / POOL/AFP
Generative artificial intelligence has been used in the US legal system by judges performing research, lawyers filing appeals and parties involved in cases who wanted help expressing themselves in court. Jefferson Siegel / POOL/AFP

Generative artificial intelligence (GenAI) is making its way into courts despite early stumbles, raising questions about how it will influence the legal system and justice itself.

Judges use the technology for research, lawyers utilize it for appeals and parties involved in cases have relied on GenAI to help express themselves in court.

"It's probably used more than people expect," said Daniel Linna, a professor at the Northwestern Pritzker School of Law, about GenAI in the US legal system.

"Judges don't necessarily raise their hand and talk about this to a whole room of judges, but I have people who come to me afterward and say they are experimenting with it”.

In one prominent instance, GenAI enabled murder victim Chris Pelkey to address an Arizona courtroom -- in the form of a video avatar -- at the sentencing of the man convicted of shooting him dead in 2021 during a clash between motorists.

"I believe in forgiveness," said a digital proxy of Pelkey created by his sister, Stacey Wales.

The judge voiced appreciation for the avatar, saying it seemed authentic.

"I knew it would be powerful," Wales told , "that that it would humanize Chris in the eyes of the judge."

The AI testimony, a first of its kind, ended the sentencing hearing at which Wales and other members of the slain man's family spoke about the impact of the loss.

Since the hearing, examples of GenAI being used in US legal cases have multiplied.

"It is a helpful tool and it is time-saving, as long as the accuracy is confirmed," said attorney Stephen Schwartz, who practices in the northeastern state of Maine.

"Overall, it's a positive development in jurisprudence."

Schwartz described using ChatGPT as well as GenAI legal assistants, such as LexisNexis Protege and CoCounsel from Thomson Reuters, for researching case law and other tasks.

"You can't completely rely on it," Schwartz cautioned, recommending that cases proffered by GenAI be read to ensure accuracy.

"We are all aware of a horror story where AI comes up with mixed-up case things."

The technology has been the culprit behind false legal citations, far-fetched case precedents, and flat-out fabrications.

In early May, a federal judge in Los Angeles imposed $31,100 in fines and damages on two law firms for an error-riddled petition drafted with the help of GenAI, blasting it as a "collective debacle."

The tech is also being relied on by some who skip lawyers and represent themselves in court, often causing legal errors.

And as GenAI makes it easier and cheaper to draft legal complaints, courts already overburdened by caseloads could see them climb higher, said Shay Cleary of the National Center for State Courts.

"Courts need to be prepared to handle that," Cleary said.

Transformation

Law professor Linna sees the potential for GenAI to be part of the solution though, giving more people the ability to seek justice in courts made more efficient.

"We have a huge number of people who don't have access to legal services," Linna said.

"These tools can be transformative; of course we need to be thoughtful about how we integrate them."

Federal judges in the US capitol have written decisions noting their use of ChatGPT in laying out their opinions.

"Judges need to be technologically up-to-date and trained in AI," Linna said.

GenAI assistants already have the potential to influence the outcome of cases the same way a human law clerk might, reasoned the professor.

Facts or case law pointed out by GenAI might sway a judge's decision, and could be different than what a legal clerk would have come up with.

But if GenAI lives up to its potential and excels at finding the best information for judges to consider, that could make for well-grounded rulings less likely to be overturned on appeal, according to Linna.