Microsoft confirms Russian spies stole source code, accessed internal systems Microsoft has now confirmed that the Russian cyberspies who broke into its executives' email accounts stole source code and gained access to internal systems. The Redmond giant also characterized the intrusion as "ongoing." In an updated US SEC filing and companion security post, Microsoft provided more details about the …
I find it hard the believe Microsoft executives would even know what source code looks like, much less have access to it or that anyone could steal Microsoft source code by hacking Microsoft executives' accounts. If there's one thing Microsoft executives know is plausible deniability for when their products are shown to be crap.
Most likely a clever plot by the CIA. Acting on full access the Microsoft source code may well set Russian IT and cyber intelligence efforts back a couple of decades. Maybe more is Microsoft actually has documentation for their code -- a conjecture I've encountered from time to time but for which there seems to be no known evidence.
Thinking out loud - if Microsoft had secrets why would they share them with major customers?
Are they indirectly saying they were talking to an intelligence agency and informing them about a backdoor?
The emails that were attacked included "a legacy non-production test tenant account" - read of that what you will...for whatever reason they have a 'test account' that happens to hold the live emails of executives (and presumably...other peoples email?). Possibly an offline listening post type account?
What on earth this means for live emails...I do not know "We will act immediately to apply our current security standards to Microsoft-owned legacy systems and internal business processes".
I once had someone tell me that we couldn't POSSIBLY use Linux on a particular product - "because Linux is Open Source - That means Anybody can get in!"
Windows 2000 had been mandated by higher-ups, for a government type-approved embedded system. Each unit required three separate Intel Atom PC/104 boards each running win2k for the system to operate. Usually one of them was borked, so it usually didn't.
Of course, in this case, that was fine, because the product in question was the speed cameras on the M25 and M40 (ducks)
Borked cameras often required lane closures and someone to go up on a gantry to reset it.. In the end, they made most of their money selling dummy cameras
Security risks exist regardless of nationality, so in terms of measuring risk, nationality is only one factor.
"I will just keep sending you an abundance of information," he [U.S Army Sergeant Korbein Schultz] wrote to the coconspirator, according to prosecutors, later expressing a desire to compare himself to Jason Bourne, the fictional spy created by author Robert Ludlum. [Current News Story]
Contrary to ingrained implicit bias, he has no blood relation to Sergeant Schultz from Hogan's Heros, the affable, lovable WWII German prisoner of war guard so endeared to many US TV viewers in the 1960's.
Ms sells software to everyone including the military, so if you want to hack the dod then you're going to be a target. Get your act together. A 12 year old uk child hacked in the Pentagon. No one said our Sercurity is so bad even 12 year old can get in. They wanted to jail him. No one got sacked for being rubbish at there job.
"Ms sells software to everyone including the military"
My impression, and I sure hope I'm right, is that the US military only uses Microsoft and other commercial software for routine office tasks -- payroll, tracking vacation, ("Leave" in Milspeak), Probably some purchasing and accounts payable -- especially COTS (Commercial Off The Shelf) stuff like office supplies or products resold in the Base Exchange. Combat systems hopefully remain on dedicated software far from the weird notions that vendor testing is adequate and that nothing can possibly go wrong with Over The Air updates.
"Esp hardware, infra and security...."
When you're a sad corporation that is less secure than Microsoft, there is always Entra ID.
The Redmond giant also characterized the intrusion as "ongoing."
...and stole internal messages and files belonging to the leadership team, and cybersecurity and legal employees.
But hey, everything is safer in the cloud.
Azure is a joke. Crappy Downtime, No depth to their services, you have no option but to do things in the limited scope they provide and not the way you do things, and now they have shown to have piss poor security. Still, They take our execs out to the F1, so thats us stuck with them, I guess
Changing the priority 'cause government says so. Offer a "By default cloud-free" version of Windows 10 / 11 / 12 / Office 'cause government says so. Without dark pattern 'cause government says so.
It is not the the USA government is without power over companies - as soon as the "national security" trigger is hit there is no limit. At least in my dreams they will enforce such a Windows version.
Quote: "...access to some of the company's source code repositories..."
At SolarWinds the hackers INSERTED malware into development libraries.....and then waited for the code to turn up in the delivered application.
Why is this report so coy about this possibility? Why are hackers always represented as STEALING material....when the smart money is on the possibility that they are WRITING CODE at M$?
Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures.
I have experienced this with customers sending sensitive information via email, I would delete the email, expunge the mailbox, and request the customer to change those details in their systems. I do not need access to a customer's system, when I needed information, I'd tell the customer how to retrieve the information in their systems for me.
@Omnipresent
...the fact that micro$oft is a threat to a civilized society...
You are joking, but I am of the opinion that Windows365 presents a single point of failure to everyone who have moved their enterprise/business/own pc to Win365. I am sure there are more than one bad actor who is salivating at the prospect of the world+dog moving en masse, as they are sitting on a plethora of unknown/undisclosed/unpatched vulnerabilities that will allow them to take control of Windows365 and then hold the world economy to ransom.
If I were a CTO/CIO of an enterprise or company that is fully invested in Microsoft products, I would have sleepless nights about it; the more so if top management is unwilling to consider other avenues. (OK, I would not be with that, or any similar company, anymore).
Please note that I am not a tin-foil hatter, nor a conspiracy theorist of any sort; all you need to do is open your eyes and think about how WIndows365 is designed to work, ajnd who is looking after your security (you certainly have no control over anything once it is in Windows365, even if you believe it with your whole heart).
The wailing and gnashing of teeth will be deafening the day that it happens (not if - when).
TBH I'm not sure I am joking. At this point no one trusts M$ for good reason. I think it started with the cloud computing push myself. I mean, M$ never was the best option, it was simply the best option available. Greed, and very bad design, has made it a vulnerability, and threat to society. I use both mac and windows, but this incident has me thinking more about how we, as a society can no longer rely on it, or trust it. So, what happens after M$? How does society handle it? How do we still function without what is both our most relied upon technology, and our biggest threat to humanity?
Then the code gets better, MS would have to close the back doors the governments of the "free" world use to spy on their citizens.
It seems improbable those governments want to leave those door open to the MoD or KGB.
Way back in 2007 a Microsoft executive said: "Microsoft is not a security company. Security is important, but it's just a little part of Microsoft,"
Source: https://www.zdnet.com/article/microsoft-onecare-should-not-have-been-rolled-out/
That was 17 years ago. MSFT's lack of security acumen has not improved. They still don't have security as part of their DNA.
Defender should be marketed as "Free 'checkbox security' from your E5 subscription. 'Good Enough' to block script kiddies, and not much more."
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
