The Wall Street Journal said Friday (March 12), citing people familiar with the matter, that Microsoft is investigating whether Chinese Communist Hackers launched the global Cyber Attack with the help of an insider.
Microsoft is investigating whether the Chinese hackers obtained sensitive information from Microsoft’s security partners, the sources said.
The question is why the first cyberattack, which began in early January, came just a week before Microsoft was able to send software patches to customers. During that Time, only a handful of China-linked hacking groups had access to the patch tool, which was intended to fill a computer vulnerability in Exchange email software, but whose proof-of-concept code could also have been obtained by hackers and used to conduct the cyberattack.
Investigators are focusing on whether the information Microsoft previously shared about the vulnerability program was leaked to other groups through a partner, either inadvertently or intentionally, the sources said.
Researchers at a cybersecurity firm found that a second wave of cyberattacks on Microsoft vulnerabilities began Feb. 28, and that some of the tools had similarities to the Proof of Concept attack code that Microsoft distributed to antivirus companies and some security partners on Feb. 23.
The sources said that although Microsoft’s investigation has not yet reached a conclusion, but investigators are studying whether the information contained in the February 23 notice sent to a specific group of security companies may have been used by hackers.
The Feb. 23 notice from Microsoft reportedly contained technical details about unpatched flaws in Exchange as well as “proof-of-concept” samples that could have been used to attack the systems.
Microsoft and other security companies have been reviewing an information-sharing program called the Microsoft Active Protection Program (Mapp), which was created in 2008 to allow security companies to prioritize the detection of emerging threats.
According to sources familiar with Mapp communications, Microsoft issued a patching message to Mapp verification partners weeks in advance on Feb. 23, saying it expected to patch two weeks later, on March 9. Microsoft rolled out the patch a week earlier (March 2) because of a second wave of cyber attacks against the Exchange vulnerability on Feb. 28.
Mapp includes 80 security companies worldwide, about 10 of which are based in China. in 2012, Microsoft had dropped a Chinese company, Hangzhou DPT Technology Co. from the Mapp program after it determined that the company had leaked proof-of-concept code that could be used in the attack and that the code appeared on a Chinese website.
Microsoft declined to say whether any Chinese companies received proof-of-concept code for the Exchange vulnerability.
Microsoft first sent the proof-of-concept code notification on Feb. 23, and four days later (Feb. 27), hackers linked to the Chinese Communist Party were monitored and began scanning the Internet for servers containing the Exchange vulnerability.
According to security firm ESET, four separate hacker groups began their widespread attacks beginning Feb. 28.
In addition, security researchers continue to dig into the first wave of attacks — more than a month before Microsoft announced Mapp — with the earliest attacking hackers coming from China, who appear to have insight into the vulnerabilities. Microsoft previously said the hacking group known as Hafnium is a highly sophisticated Chinese group that has conducted a low number of targeted cyber attacks in an attempt to steal information from infectious disease researchers, law firms and educational institutions.
Investigators say Hafnium may or may not have shared information with other hacking groups; it may also have discovered the vulnerabilities on its own, or it may have learned about them from the security firms that discovered them.
A Taiwanese security firm called Devcore first discovered the Microsoft vulnerabilities last December. This is a company that specializes in “red team” security assessments, in which employees simulate attacks on customers’ networks to test their defenses.
Devcore reported the vulnerabilities to Microsoft on Jan. 5, two days after the first known cyberattack in China. Investigators say it’s possible Devcore itself was hacked or may have inadvertently leaked information during a security event.
Recent Comments