Microsoft Body.
MSFT -0.89%
investigates whether a global cyber attack on tens of thousands of corporate customers could be linked to a leak by the company or its partners, according to people familiar with the matter.
The investigation focuses in part on how a sneak attack that began in early January took off in the week before the company could send a software solution to customers. During that time, a handful of China-related hacking groups obtained the tools that allowed them to launch large-scale cyber attacks, which now infected computers around the world running Microsoft Exchange e-mail software.
Some of the tools used in the second wave of the attack, which is believed to have started on February 28, bear similarities to the “proof of concept” attack code that Microsoft distributed to antivirus companies and other security partners on February 23, investigators to security companies say. Microsoft had planned to launch the security solutions two weeks later, on March 9, but after the second wave began, it removed the patches a week earlier, on March 2, according to the researchers.
One of the objectives of the investigation was an information exchange program called the Microsoft Active Protections Program, which was created in 2008 to give security companies a head start in detecting emerging threats. Mapp includes about 80 security companies worldwide, of which about 10 are based in China. A subset of Mapp’s partners received Microsoft’s February 23 notification, which included proof of concept, according to sources familiar with the program. A Microsoft spokesman declined to say whether Chinese companies were included in the release.
How hackers obtained the tools is important to Microsoft and others who are struggling to assess the damage of the historic cyber attack, which has allowed other hacking groups to exploit vulnerabilities for their own purposes. Microsoft said this week that it saw ransomware or malicious software that blocked victims’ computers until they paid hackers, being used to target networks that had not yet been fixed. As many of the organizations targeted are small businesses, schools and local governments, security experts said they could be particularly vulnerable to debilitating attacks.
Senior Biden administration officials have described the problem in unfortunate terms over the past week, urging organizations to repair their systems immediately. No federal system is currently known to be compromised, although officials are still considering a possible exposure of the agency. President Biden was briefed on the hack and the administration has set up a coordination group for cyber security agencies focused on the hack, a National Security Council spokeswoman said.
Microsoft said there would be consequences if the Mapp partnership was abused. “If it turns out that a Mapp partner was the source of a leak, it would have consequences for violating the terms of participation in the program,” a Microsoft spokesman said in an email.
In 2012, Microsoft evicted a Chinese company, Hangzhou DPTech Technologies Co., Ltd, from Mapp after it determined that it had leaked a code of proof of the concept that could be used in an attack and that this code appeared on a Chinese website.
Write to Robert McMillan to [email protected] and Dustin Volz to [email protected]
Copyright © 2020 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8