Microsoft is investigating whether security companies that it works with leaked details about vulnerabilities in its software, helping hackers to expand a huge cyber attack at the end of last month, according to people briefed on the inquiry.
Microsoft originally blamed Hafnium, a Chinese state-backed hacking group, for the first spate of attacks in January.
Just as the company prepared to announce the hack and provide fixes, however, the attacks — which targeted “specific individuals” at US think tanks and non-governmental organisations — suddenly escalated and became more indiscriminate.
Several other Chinese hacking groups began launching attacks as part of a second wave at the end of February, according to researchers.
“We are looking at what might have caused the spike of malicious activity and have not yet drawn any conclusions,” Microsoft said, adding that it had seen “no indications” that the information was leaked from inside the company.
People familiar with the investigation said Microsoft had been looking into whether the 80 or so cyber companies that get advance notice of threats and patches from it might have passed on information to hackers. Members of Microsoft’s so-called Active Protections Program include Chinese companies such as Baidu and Alibaba.
“If it turns out that a MAPP partner was the source of a leak, they would face consequences for breaking the terms of participation in the program,” Microsoft said.
The investigation, first reported by Bloomberg, comes as criminal ransomware gangs have escalated efforts to attack companies that have not yet updated their systems with Microsoft patches. Government officials globally are still assessing the damage caused by the hackers.
Jake Sullivan, the White House’s national security adviser, said the US was mobilising a response but was “still trying to determine the scope and scale” of the attack. He added that it was “certainly the case that the malign actors are still in some of these Microsoft Exchange systems”.
While Sullivan did not confirm Microsoft’s assertion that China was responsible for most of the attacks, he said Washington intended to provide attribution “in the near future”.
“We won’t hide the ball on that,” he said. More than 30,000 US companies have been hit “including a significant number of small businesses, towns, cities and local governments”, according to cyber security researcher Brian Krebs.
There are 7,000 to 8,000 Microsoft Exchange servers in the UK that are deemed potentially vulnerable as a result of the hack and about half have already been patched, British security officials said on Friday.
Paul Chichester, director of operations at the UK’s National Cyber Security Centre, a branch of GCHQ, said that it was “vital” that all organisations take “immediate steps” to protect their networks.
A senior US administration official said the attackers appeared to be sophisticated and capable, but said “they took advantages of weaknesses that were in that software from its creation”.
Additional reporting by Demetri Sevastopulo in Washington