Microsoft is investigating whether security companies it works with have leaked details about vulnerabilities in its software that allowed hackers to extend a massive cyber attack late last month, people who have been briefed on the investigation said.
Microsoft originally blamed Hafnium, a Chinese state-backed hacking group, for the first wave of attacks in January.
Just as the company prepared to announce the hack and offer fixes, the attacks – targeting “specific individuals” on US think tanks and nongovernmental organizations – suddenly escalated and became more arbitrary.
According to researchers, several other Chinese hacking groups started launching attacks in late February as part of a second wave.
“We are looking at the cause of the spike in malicious activity and have not yet drawn any conclusions,” Microsoft said, adding that it had seen “no evidence” that the information had been leaked from within the company.
People familiar with the investigation said Microsoft had investigated whether the roughly 80 cyber companies that were notified of threats and patches in advance might have passed information to hackers. Members of Microsoft’s so-called Active Protections Program include Chinese companies such as Baidu and Alibaba.
“If it turns out that a MAPP partner was the source of a leak, they would be affected if they violate the terms of participation in the program,” Microsoft said.
The investigation, first reported by Bloomberg, is as criminal ransomware gangs have stepped up efforts to attack companies that have not yet updated their systems with Microsoft patches. Government officials around the world are still assessing the damage caused by the hackers.
Jake Sullivan, the White House’s national security adviser, said the US was mobilizing a response, but “still trying to determine the scope and scale” of the attack. He added that “it was certainly true that the malicious actors are still in some of these Microsoft Exchange systems.”
While Sullivan did not confirm Microsoft’s claim that China was responsible for most of the attacks, he said Washington planned to provide attribution “in the near future.”
“We will not hide the ball on that,” he said. Cyber security researcher Brian Krebs said more than 30,000 US companies have been affected, “including a significant number of small businesses, towns, cities and local governments.”
There are 7,000-8,000 Microsoft Exchange servers in the UK that are considered potentially vulnerable as a result of the hack and about half have already been patched, UK security officials said Friday.
Paul Chichester, Chief Operating Officer of the UK’s National Cyber Security Center, a branch of GCHQ, said it is “essential” that all organizations take “immediate action” to protect their networks.
A senior US government official said the attackers appeared sophisticated and capable, but said “they took advantage of the weaknesses in that software from the start.”
Additional reporting by Demetri Sevastopulo in Washington