The hackers gained more access than the company previously revealed, though the attackers were unable to modify code or access emails.
Microsoft said on Thursday that the far-reaching Russian cyberattack of U.S. government agencies and private corporations went further into its network than the company had previously revealed.
While the hackers, suspected to be working for Russia’s S.V.R. intelligence agency, did not appear to use Microsoft’s systems to attack other victims, they were able to view some Microsoft source code by hacking into an employee account, the company said.
Microsoft had previously said it was not breached in the attack, which compromised dozens of federal agencies, as well as corporations. Microsoft said its subsequent investigation revealed that the hackers were not able to access emails or its products and services, and that they were not able to modify the source code they viewed.
The Russian attack, which may be ongoing, appears to have begun as far back as October 2019. That was when hackers first breached a Texas company called SolarWinds that provides network monitoring services to government agencies and 425 of the Fortune 500 companies. The Commerce, Treasury, State and Energy Departments were all breached in the attack, as was FireEye, a top cybersecurity firm that first revealed the breach this month.
Investigators are still trying to understand what hackers stole, but investigations by FireEye, Microsoft, Amazon and other companies have revealed that the attack may be much larger in scope than originally believed. In the past week, CrowdStrike, a FireEye competitor, announced that it too had been targeted, unsuccessfully, by the same attackers. In that case, the hackers used Microsoft resellers, companies that sell software on Microsoft’s behalf, to try to access it systems.
The Department of Homeland Security has confirmed that SolarWinds was one of several avenues that the Russians used to attack American agencies, technology and cybersecurity companies.
President-elect Joseph R. Biden Jr. has accused President Trump of downplaying the hack. Mr. Trump has privately called the attack a “hoax.” Publicly, he has suggested that China, not Russia, may have been the culprit — a finding that was disputed by Secretary of State Mike Pompeo.
This is a developing story and will be updated.
Nicole Perlroth is a cybersecurity reporter. Her first book, “This Is How They Tell Me The World Ends,” about the global cyber arms race, will publish in February 2021. @nicoleperlroth