is investigating whether a global cyber attack on tens of thousands of its corporate clients could be linked to an information leak by the company or its partners, according to people familiar with the matter.
The investigation focuses in part on the question of how a stealth attack that began in early January gained steam in the week before the company was able to ship a software solution to customers. In that time, a handful of hacker groups linked to China obtained the tools that enabled them to launch wide-ranging cyberattacks that have now infected computers around the world running Microsoft’s Exchange email software.
Some of the tools used in the second wave of the attack, which is believed to have started on February 28, bear similarities to the “proof-of-concept” attack code that Microsoft distributed to antivirus companies and other security partners on February 23. February, researchers. in security companies they say. Microsoft had planned to release its security fixes two weeks later, on March 9, but after the second wave began, it removed the patches a week earlier, on March 2, according to the researchers.
A focus of the research has been an information sharing program called the Microsoft Active Protections Program, which was created in 2008 to give security companies a head start in detecting emerging threats. Mapp includes around 80 security companies around the world, about 10 of which are based in China. A subset of Mapp’s partners were sent Microsoft’s February 23 notification, which included the proof-of-concept code, according to sources familiar with the program. A Microsoft spokesperson declined to say whether any Chinese companies were included in this statement.
How hackers obtained the tools is important to Microsoft and others struggling to assess the damage from the historically large cyberattack, which has allowed other hacker groups to capitalize on the vulnerabilities for their own purposes. Microsoft said this week that it had detected ransomware, or malicious software that locks its victims’ computers until hackers pay, and is used to attack networks that have not yet been patched. Because many of the target organizations are small businesses, schools and local governments, security experts said they could be especially exposed to debilitating attacks.
Senior officials in the Biden administration have described the problem in gruesome terms for the past week, urging organizations to patch their systems immediately. Currently no federal system is known to have been compromised, although officials are still investigating possible agency exposure. President Biden has been briefed on the attack and the administration has created an interagency cybersecurity coordination group focused on the attack, a spokeswoman for the National Security Council said.
Microsoft said there would be consequences if the Mapp partnership was abused. “If it turns out that a Mapp partner was the source of a leak, they would face the consequences of breaking the terms of participation in the program,” a Microsoft spokesperson said by email.
In 2012, Microsoft kicked out a Chinese company, Hangzhou DPTech Technologies Co., Ltd, from Mapp after determining that it had leaked proof-of-concept code that could be used in an attack and that code appeared on a Chinese website.
Copyright © 2020 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8