Microsoft revealed on Thursday that the threat actors behind the SolarWinds attack were able to gain access to a small number of internal accounts and gradually upgrade their internal network access.

The company stated that “very sophisticated nation-state actors” used unauthorized access to view without modifying the source code present in its repository.

The Windows manufacturer revealed in the update :  “We detected unusual activity through a small number of internal accounts. After review, we found that one account has been used to view the source code in many source code repositories.”

“This account does not have the right to modify any code or engineering system. Our investigation further confirmed that no changes were made. These accounts were investigated and repaired.”

Network security company FireEye revealed that the attacker used the Trojan horse program to update its system to steal its Red Team penetration testing tool. The incident is the latest development of far-reaching espionage activities.

In the process of investigating the hacker, Microsoft previously admitted to detecting malicious binaries in its environment, but denied that its system was used to target others, or denied that the attacker could access production services or customer data.

Since then, several other companies, including Cisco, VMware, Intel, Nvidia, and many other US government agencies, have also discovered Sunburst (or Solorigate) malware signatures on their networks, which are updated through the contaminated Orion Implanted.

The Redmond-based company stated that its investigation is still ongoing, but it disagrees with the incident, adding that “viewing the source code has nothing to do with increasing the risk” and that it has found evidence of attempted activities has been The protection measures are offset.

In another analysis report released by Microsoft on December 28 , the company called this attack a “cross-domain compromise”, allowing attackers to introduce malicious code into signed Orion Platform binaries and use this An extensive foothold continues to perform undiscovered operations and access the target’s cloud resources, which ultimately leads to the leakage of sensitive data.

However, SolarWinds’ Orion software is not the only initial infection vector, because the US Cybersecurity and Infrastructure Security Agency (CISA) stated that the attackers also used other methods, which have not been publicly disclosed.

The agency also issued supplementary guidelines, urging all U.S. federal agencies still running Orion software to update to the latest 2020.2.1 HF2 version.

The agency said: “The National Security Agency (NSA) has checked the version and confirmed that it has eliminated the previously identified malicious code.”