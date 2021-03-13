Microsoft Corp. is investigating whether the hackers behind a world-wide cyberattack may have obtained sensitive information necessary to launch the attack from private disclosures it made with some of its security partners, according to people familiar with the matter.

The investigation centers in part on the question of how a stealthy attack that began in early January picked up steam in the week before the company was able to send a software fix to customers. In that time, a handful of China-linked hacking groups obtained the tools that allowed them to launch wide-ranging cyberattacks that have now infected computers all over the world running Microsoft’s Exchange email software.

Investigators have focused on whether a Microsoft partner with whom it shared information about the bug hackers were exploiting leaked it to other groups, either inadvertently or on purpose, the people said.

Some of the tools used in the second wave of the attack, which is believed to have begun on Feb. 28, bear similarities to “proof of concept" attack code that Microsoft distributed to antivirus companies and other security partners on Feb. 23, investigators at security companies say. Microsoft had planned to release its security fixes two weeks later, on March 9, but after the second wave began it pushed out the patches a week early, on March 2, according to researchers.

Microsoft and others have been reviewing an information-sharing program called the Microsoft Active Protections Program (Mapp), which was created in 2008 to give security companies a head start in detecting emerging threats. Mapp includes about 80 security companies world-wide, about 10 of which are based in China. A subset of the Mapp partners were sent the Feb. 23 Microsoft notification, which included the proof-of-concept code, according to sources familiar with the program. A Microsoft spokesman declined to say whether any Chinese companies were included in this release.

How the hackers obtained the tools is important to Microsoft and others scrambling to assess the damage of the historically large cyberattack, which has allowed other hacking groups to capitalize on the vulnerabilities for their own purposes. Microsoft said this week it had spotted ransomware, or malicious software that locks up its victims’ computers until they pay the hackers, being used to target networks that hadn’t yet been patched. Because many of the targeted organizations are small businesses, schools and local governments, security experts said they could be especially exposed to debilitating attacks.

Senior Biden administration officials have described the problem in dire terms over the past week, urging organizations to immediately patch their systems. No federal systems are currently known to have been compromised, though officials are still probing possible agencies’ exposure. President Biden has been briefed about the hack and the administration has created an interagency cybersecurity coordination group focused on the hack, a National Security Council spokeswoman said.

A Microsoft spokesman said the company has seen “no indications" of a leak from inside the company. The people with whom it shared the security information in February, known as Mapp Validate Partners are longtime partners that have the breadth and size to test and detect vulnerabilities, he said.

The spokesman said there would be consequences if the Mapp partnership was abused. “If it turns out that a Mapp partner was the source of a leak, they would face consequences for breaking the terms of participation in the program," he said via email.

In 2012, Microsoft ejected a Chinese company, Hangzhou DPTech Technologies Co., Ltd, from Mapp after determining that it had leaked proof-of-concept code that could be used in an attack and that code appeared on a Chinese website.

Although Microsoft’s investigation has reached no conclusion, investigators are looking at whether information contained in a Feb. 23 notice to a select group of security companies may have made its way to the attackers, the sources said.

The Feb. 23 alert contained technical details about unpatched flaws in Exchange along with the “proof of concept" sample, which could be used to attack these systems.

Microsoft released its information weeks in advance of the patch to the Mapp Validate Partners on Feb. 23, saying that it expected to patch the Exchange bugs two weeks later, on March 9, according to sources familiar with the Mapp communications.

But four days after this notification—on Feb. 27—the China-linked hackers began scanning the internet for servers that contained the Exchange flaws. Starting on Feb. 28, four separate hacking groups began their widespread attack, according to the security firm ESET. Other security firms have linked these groups to China, which has said it “opposes and combats cyberattacks and cyber-thefts in all forms."

“This suggests that multiple threat actors gained access to the details of the vulnerabilities before the release of the patch," ESET said in a blog post Wednesday.

The Exchange cyberattack could give the hackers a foothold in these organizations for years. As companies and other organizations struggle to apply Microsoft’s patches, new attackers have begun exploiting these bugs. On Thursday, after exploit code was posted to the internet, a new family of ransomware, called DearCry, began appearing on Exchange servers, Microsoft said in a Twitter post.

Security researchers are continuing to examine how an initial group of alleged Chinese hackers appear to have exploited the bugs more than a month before Microsoft’s Mapp announcement. That group, known as Hafnium, is a highly sophisticated China-based group that conducted a low volume of targeted cyberattacks, trying to steal information from infectious-disease researchers, law firms and educational institutions, Microsoft said.

Hafnium may or may not have shared its knowledge with other groups, investigators say.

How Hafnium learned of the incident is unclear, investigators say, adding that it may have discovered the bugs itself or it may have learned of them from a security company that found them.

“Security researchers are clearly a target of cyber-espionage actors who are probably targeting them to enhance their own capabilities," said John Hultquist, director of intelligence analysis at the cybersecurity company FireEye Inc.

One security company that discovered them in December is Devcore, a Taiwanese company that specializes in “red team" security assessments where its employees simulate a cyberattack on clients to test their defenses.

Devcore reported the bugs to Microsoft on Jan. 5, said Bowen Hsu, a project manager with the company. That is two days after the first known Chinese cyberattack, according to the security firm Volexity. Mr. Hsu said that Devcore doesn’t know when the attack started or who the attacker is.

It is also possible, investigators say, that Devcore itself may have been hacked or may have inadvertently provided details of the attack to the Chinese during one of its security engagements.

When it learned that the Exchange flaws it had discovered were being exploited by hackers, Devcore launched an internal investigation, Mr. Hsu said. It hasn’t uncovered any concerns during the investigation, he said.

Founded in 2012, Devcore has a reputation for hiring top-notch Taiwanese hacking talent, including a well-respected hacker named Orange Tsai, who discovered the Exchange flaws. In 2019, Mr. Tsai received a Pwnie Award—the equivalent of a hacker’s Oscar—for a bug he found in virtual-private-network server software.

On the day Devcore reported its findings to Microsoft in January, Mr. Tsai wrote on Twitter that the bug he had found “might be the most serious…I have ever reported." Then he added that he hoped nobody had duplicated his work.

