Microsoft Corp.
MSFT -0.86%
is investigating whether a global cyber attack on tens of thousands of corporate customers could be linked to an information leak from the company or its partners, according to people familiar with the case.
The investigation focuses in part on how a covert attack that began in early January got underway in the week before the company was able to send a software fix to customers. During that time, a handful of China-linked hacker groups obtained the tools to launch extensive cyber attacks that have now infected computers around the world with Microsoft Exchange email software.
Some of the tools used in the second wave of attack, believed to have started on Feb. 28, have similarities to “ proof-of-concept ” attack code that Microsoft distributed to antivirus companies and other security partners on Feb. 23, researchers at security companies say. Microsoft planned to release its security fixes two weeks later, on March 9, but after the second wave began, the patches were pushed out a week earlier, on March 2, researchers said.
One focus of the study was an information-sharing program called the Microsoft Active Protections Program, which was created in 2008 to give security companies a head start in detecting emerging threats. Mapp includes about 80 security companies worldwide, of which about 10 are based in China. A subset of the Mapp partners received the February 23 Microsoft notification, which contained the proof-of-concept code, according to sources familiar with the program. A Microsoft spokesperson declined to say whether Chinese companies were included in this release.
How the hackers obtained the tools is important to Microsoft and others who are working to assess the damage from the historically significant cyber attack, which allowed other hacker groups to take advantage of the vulnerabilities for their own purposes. Microsoft said this week that it had spotted ransomware, or malicious software that locks its victims’ computers until they pay the hackers, and is used to target networks that had not yet been patched. Because many of the targeted organizations are small businesses, schools and local governments, security experts said they could be particularly exposed to grueling attacks.
Senior officials from the Biden administration have described the problem in serious terms over the past week, urging organizations to immediately patch their systems. There are currently no known federal systems that have been compromised, although officials are still investigating the agency’s potential exposure. President Biden has been briefed on the hack, and the government has set up an inter-institutional cybersecurity coordination group targeting the hack, a National Security Council spokeswoman said.
Microsoft said there would be consequences if the Mapp partnership had been abused. “If it turns out that a Mapp partner was the source of a leak, they would have consequences if they violate the terms of participation in the program,” a Microsoft spokesperson said via email.
In 2012, Microsoft removed a Chinese company, Hangzhou DPTech Technologies Co., Ltd, from Mapp after determining that it had leaked proof-of-concept code that could be used in an attack, and that code appeared on a Chinese website.
Write to Robert McMillan at [email protected] and Dustin Volz at [email protected]
Copyright © 2020 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8