Microsoft Corp.
MSFT -0.85%
is currently investigating whether a global cyberattack on tens of thousands of its business customers could be linked to a leak of information by the company or its partners, according to people familiar with the matter.
The investigation is partly focused on how a rogue attack that began in early January gained steam in the week before the company was able to send a software solution to customers. At that time, a handful of hacking groups linked by China got the tools that enabled them to launch wide-ranging cyberattacks that infected computers around the world with Microsoft’s Exchange email software.
Some tools used in the second wave of the attack, which apparently began on February 28, have similarities with ‘proof-of-concept’ attack code that Microsoft distributed to antivirus companies and other security partners on February 23, investigators. at security companies say. Microsoft planned to release its security solutions two weeks later, on March 9, but after the second wave began, researchers said it was released a week early, on March 2.
One focus of the investigation was an information-sharing program called the Microsoft Active Protections program, which was created in 2008 to give security companies a head start in detecting emerging threats. Mapp contains about 80 security companies worldwide, of which about 10 are based in China. A portion of the Mapp partners were shipped from Microsoft on February 23, containing the proof-of-concept code, according to sources familiar with the program. A Microsoft spokesman declined to say whether Chinese companies were included in the release.
The importance of the hackers in obtaining the tools is important for Microsoft and others to assess the damage of the historically large cyber attack, which has enabled other hacking groups to exploit their own vulnerabilities. Microsoft said this week that it has spotted ransomware, or malicious software, locking its victims’ computers until they pay the hackers, who are used to target networks that have not yet been patched. Since many of the targeted organizations are small businesses, schools and local governments, security experts said they may be particularly vulnerable to debilitating attacks.
Senior officials from the Biden administration described the problem in a serious description last week, urging organizations to upload their systems immediately. It is currently known that no federal systems have been compromised, although officials are still investigating possible exposure to the agency. President Biden has been briefed on the hack and the administration has created a co-ordinating group for cyber security between the institutions focused on the hack, a spokesman for the National Security Council said.
Microsoft said it would have consequences if the Mapp partnership was abused. “If it turns out that a Mapp partner is the leak, they will have consequences if they violate the terms of participation in the program,” a Microsoft spokesman said in an email.
In 2012, Microsoft fired a Chinese company, Hangzhou DPTech Technologies Co., Ltd, from Mapp after it determined that it had leaked a proof-of-concept code that could be used in an attack and that the code on A Chinese website has appeared.
Write to Robert McMillan at [email protected] and Dustin Volz at [email protected]
Copyright © 2020 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8