Microsoft is investigating whether the security companies it works with leaked details about vulnerabilities in its software, helping hackers expand a major cyber attack late last month, according to people informed of the investigation.
Microsoft originally blamed Hafnium, a group of hackers backed by the Chinese state, for the first wave of attacks in January.
As the company was preparing to announce the hack and provide solutions, the attacks – which targeted “specific individuals” in US think tanks and non-governmental organizations – suddenly increased and became more indiscriminate.
Several other groups of Chinese hackers began launching attacks as part of a second wave in late February, according to researchers.
“We are looking at what may have caused the increase in malicious activity and have not yet reached any conclusions,” said Microsoft, adding that there was no “evidence” that the information was leaked from within the company.
People familiar with the investigation said Microsoft is investigating whether the roughly 80 cyber companies that receive advance information about threats and patches may have passed on information to hackers. Members of Microsoft’s so-called Active Protection Program include Chinese companies like Baidu and Alibaba.
“If they discover that a MAPP partner was the source of the leak, they would face the consequences for violating the terms of participation in the program,” said Microsoft.
The investigation, first reported by Bloomberg, comes at a time when criminal ransomware gangs are stepping up efforts to attack companies that have not yet updated their systems with Microsoft patches. Government officials around the world are still assessing the damage done by hackers.
Jake Sullivan, the White House’s national security adviser, said the United States is mobilizing a response, but “is still trying to determine the scope and scale” of the attack. He added that “certainly the evil actors are still on some of these Microsoft Exchange systems”.
Although Sullivan did not confirm Microsoft’s claim that China was responsible for most of the attacks, he said Washington intended to provide the assignment “in the near future”.
“We are not going to hide the ball in this,” he said. More than 30,000 American companies have been reached “including a significant number of small businesses, towns, cities and local governments,” according to cybersecurity researcher Brian Krebs.
There are 7,000 to 8,000 Microsoft Exchange servers in the UK that are considered potentially vulnerable as a result of the hack and about half have been fixed, British security officials said on Friday.
Paul Chichester, director of operations for the UK’s National Cyber Security Center, a subsidiary of GCHQ, said it is “vital” that all organizations take “immediate steps” to protect their networks.
A senior US government official said the attackers appeared to be sophisticated and capable, but said that “they have taken advantage of the weaknesses that have been in that software since its creation”.
Additional reporting by Demetri Sevastopulo in Washington