Solorigate cyberespionage updates.
Microsoft at the end of December updated its account of Solorigate, the large cyberespionage campaign generally attributed to Russia's SVR. Redmond said it detected and removed malicious SolarWinds software within its environment, and the investigation led the company to discover that a threat actor had used an employee account to view source code in several repositories. Microsoft emphasizes that the actor wasn't able to modify any code, adding that "we do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code."
The New York Times reports that US intelligence agencies are looking into the possibility that JetBrains, a Czech firm that offers widely used IDEs and other software development tools, may have been compromised as part of the cyberespionage campaign. The JetBrains product in question is TeamCity, a software build management tool, although the tool's potential role in the hack is still unclear. The Times quotes Dmitri Alperovitch as saying that such a breach could greatly expand the scope of the incident, since "[i]t can allow an adversary to have thousands of SolarWinds-style back doors in all sorts of products in use by victims all over the world." The Times notes that JetBrains products are used by 300,000 organizations, including seventy-nine of the Fortune 100 companies.
JetBrains said in a blog post that it learned of the investigation from the news reports, and that it currently has no knowledge of any compromise:
"First and foremost, JetBrains has not taken part or been involved in this attack in any way. SolarWinds is one of our customers and uses TeamCity, which is a Continuous Integration and Deployment System, used as part of building software. SolarWinds has not contacted us with any details regarding the breach and the only information we have is what has been made publicly available. It’s important to stress that TeamCity is a complex product that requires proper configuration. If TeamCity has somehow been used in this process, it could very well be due to misconfiguration, and not a specific vulnerability. Furthermore, security is our top concern and we notify and manage updates transparently in our Security Bulletin.
"Secondly, we have not been contacted by any government or security agency regarding this matter, nor are we aware of being under any investigation. If such an investigation is undertaken, the authorities can count on our full cooperation."
JetBrains also cites a SolarWinds spokesperson as saying, "SolarWinds, like many companies, uses a product by JetBrains called TeamCity to assist with the development of its software. We are reviewing all internal and external tools as part of our investigations, which are still ongoing. The Company hasn’t seen any evidence linking the security incident to a compromise of the TeamCity product."