Microsoft Corp.
MSFT -0.84%
is investigating whether a global cyberattack against tens of thousands of corporate customers may be related to information leaking by the company or its partners, according to people familiar with the matter.
The investigation focuses in part on how a sneak attack that began in early January gained momentum the week before the company could send a software solution to customers. At the time, a handful of hacker groups linked to China obtained the tools that allowed them to launch powerful cyberattacks that have now infected computers around the world running Microsoft Exchange e-mail software.
Some of the tools used in the second wave of the attack, which is believed to have begun on February 28, have similarities to the “proof of concept” attack code that Microsoft distributed to antivirus companies and other security partners. on Feb. 23, investigators at security companies say. Microsoft had planned to launch its security solutions two weeks later, on March 9, but after the second wave began it removed the patches a week earlier, on March 2, according to researchers.
One focus of the research has been an information exchange program called the Microsoft Active Protections Program, which was created in 2008 to give security companies an edge in detecting emerging threats. Mapp includes about 80 security companies worldwide, about 10 of which are headquartered in China. A subset of Mapp’s partners received notification from Microsoft on Feb. 23, which included the proof-of-concept code, according to sources familiar with the program. A Microsoft spokesman declined to say if there were any Chinese companies included in this version.
The importance that hacker tools have gained is important to Microsoft and others engaged in assessing the harms of historically large cyberattack, which has allowed other hacking groups to capitalize on vulnerabilities for their own purposes. Microsoft said this week that it had detected ransomware or malicious software that blocks its victims’ computers until they pay hackers, who were used to target networks that had not yet been fixed. Because many of the target organizations are small businesses, schools, and local governments, security experts said they could be especially exposed to debilitating attacks.
Senior Biden administration officials have described the problem in serious terms last week, and have urged organizations to correct their systems immediately. It is not currently known if there are compromised federal systems, although officials are still investigating the agency’s possible exposure. President Biden has been briefed on the hack and the administration has set up an interagency cybersecurity coordination group focused on the hack, a National Security Council spokeswoman said.
Microsoft said there would be consequences if the Mapp association had been abused. “If it turns out that a Mapp partner was the source of a leak, they would have consequences for breaching the terms of participation in the program,” a Microsoft spokesman said in an email.
In 2012, Microsoft fired a Chinese company, Hangzhou DPTech Technologies Co., Ltd, from Mapp after determining that it had leaked proof-of-concept code that could be used in an attack and appeared on a Chinese website.
Write to Robert McMillan to [email protected] and Dustin Volz to [email protected]
Copyright © 2020 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8