Microsoft Corp. is investigating whether a global cyber attack on tens of thousands of its corporate customers could be related to an information leak by the company or its partners, according to people familiar with the matter.
The investigation centers in part on the question of how a sneak attack that started in early January gained momentum in the week before the company was able to send a software fix to customers. At that time, a handful of hacker groups linked to China obtained the tools that allowed them to launch far-reaching cyber attacks that have already infected computers around the world running Microsoft’s Exchange e-mail software.
Some of the tools used in the second wave of the attack, which is believed to have started on February 28, bear similarities to the “proof of concept” attack code that Microsoft distributed to antivirus companies and other security partners on February 23. , researchers at security companies say. Microsoft planned to release its security patches two weeks later, on March 9, but after the second wave started, it released the patches a week earlier, on March 2, according to researchers.
One focus of the investigation was an information-sharing program called the Microsoft Active Protections Program, which was created in 2008 to give security companies an edge in detecting emerging threats. Mapp includes around 80 security companies worldwide, about 10 of which are based in China. A subset of Mapp partners received Microsoft’s February 23 notification, which included proof of concept code, according to sources familiar with the program. A Microsoft spokesman declined to say whether any Chinese companies were included in this release.
The way in which hackers obtained the tools is important to Microsoft and others trying to assess the damage from the historically large cyber attack, which has allowed other groups of hackers to capitalize on the vulnerabilities for their own purposes. Microsoft said this week that it detected ransomware, or malicious software that blocks its victims’ computers until they pay hackers, and is used to target networks that have not yet been fixed. Since many of the organizations targeted are small businesses, schools and local governments, security experts said they may be especially exposed to debilitating attacks.