Microsoft has made the CodeQL queries from the SolarWinds attack open source. Developers can use the queries to check whether their software has been affected by an attack like the one that hit SolarWinds.
In a blog post on its website, Microsoft describes how CodeQL works. The software is intended to analyse a developer’s code to detect so-called indicators of compromise (IoC). The software does this by checking the code for pieces of code similar to those used in the attack on SolarWinds. Microsoft emphasises, however, that it cannot guarantee that it will detect all malicious code. After all, the attacker may have used a different programming style.
CodeQL works in two steps. When compiling the input source code, the software creates a database with a model of the code to be compiled. Once the database has been created, queries can be run on it just like other databases. This should contribute to making the code more searchable. These queries can be compared to the SolarWinds queries that Microsoft has shared on CodeQL’s GitHub page. The software itself can also be found on GitHub.
In early December, FireEye announced that the company had fallen victim to a hack. The company said that the attack was of an exceptionally high level and that the hackers were probably looking for state secrets. A few days later, however, it turned out that the attack had hit not only FireEye but thousands of companies. Government agencies were also affected.
After extensive investigation, it turned out that the attack had been going on for many months and many large companies had been hit. Names that came up were Microsoft, Cisco, Intel, Nvidia, VMware, Deloitte, Malwarebytes and various American government agencies. The NSA and FBI strongly believe that Russian hackers are behind the attacks.
Backdoor in IT management software
The hackers carried out the attack by first breaking into the systems of IT company SolarWinds. There, the attackers managed to add their own code to the Orion software that SolarWinds develops. This software is widely used for IT management and is therefore installed on many company networks with many rights. The malicious code opened a backdoor that the attackers could use to investigate compromised computers and networks further. This further investigation had to be done manually, so by no means all companies where Orion was installed actually had data stolen. After the hack was discovered, SolarWinds quickly released an update that removes the malicious code from the software.
Assume a breach
Microsoft stresses that the company itself has always had a policy of checking all final versions of software for malicious modifications before rolling them out to servers and customers. The company also maintains an attitude of always assuming that someone has managed to breach the company. The company works on the assumption that no matter how smart the company is in its security arrangements, a potential attacker is just as smart and clever.