Microsoft makes CodeQL queries open source to detect SolarWinds hacks

Microsoft has put a method on the internet that companies can use to research the SolarWinds vulnerability. The company is making a tool that does CodeQL queries, including those queries themselves, open source.

Microsoft put the queries online in response to the SolarWinds supply chain attack that took place in December on companies and US government agencies. Microsoft itself was one of the companies hit by an infected binary in network monitoring tool Orion. The company has been investigating the impact of the leak for a long time. Now Microsoft also says it wants to help other companies do their own research within their own networks.

For the study, Microsoft used CodeQL queries to scan its own source code for indicators of compromise. CodeQL queries are queries that can be run on GitHub repositories to find structure and readability inconsistencies, as well as security vulnerabilities. This requires specific .ql searches. Microsoft has now put the queries on GitHub that it itself used to track down infected Orion software.

Other companies can use those queries to see if they see similarities with Solorigate, as the leak is called, in their own code. This concerns, for example, similarities in syntax, but also in the functionality of code snippets. Microsoft warns that the CodeQL queries should always be part of a broader investigation. “There is no guarantee that an attacker has used the same functionality or programming style in other operations,” the company wrote.