There is evidence that more US cyber invasions are being initiated in China.
Microsoft Corp. is working to gather more evidence to prove that hackers behind a worldwide cyberattack may have obtained sensitive information necessary to launch the attack from private disclosures it made with some of it security partners.
The company is centering the investigation, in part, on the question of how a stealthy attack that began in January, picked up steam in the week before the company was able to send a software fix to customers.
In that time, a handful of China-linked hacking groups obtained the tools that allowed them to launch wide-ranging cyberattacks that have now infected computers all over the world running Microsoft’s Exchange email software.
Investigators have focused on whether a Microsoft partner with whom it shared information about the bug hackers, leaked it to other groups, either inadvertently or on purpose.
Some of the tools used in the second wave of the attack, which is believed to have begun on Feb. 28, bear similarities to a “proof of concept” attack code that Microsoft distributed to anti-virus companies and other security partners on Feb. 23.
Microsoft planned to release its security fixes two weeks later on March 9, but after the second wave began, it pushed out the patches a week early, on March 2, according to researchers.
Microsoft and others have been reviewing an information-sharing program called the Microsoft Active Protection Program, or Mapp, which was created in 2008 to give security companies a head start in detecting emerging threats.
How the hackers obtained the tools is important to Microsoft and others scrambling to assess the damage of the historically large cyberattack, which has allowed other hacking groups to capitalize on the vulnerabilities for their own purposes.
Microsoft released its information weeks in advance of the patch to the Mapp Validate Partners on Feb. 23, saying it expected to patch the Exchange bugs on March 9, according to people familiar with the Mapp communications.
In 2012, Microsoft ejected a Chinese company, Hangzhou DPTech Technologies Co. from Mapp, after determining it had leaked proof-of-concept code that could be used in an attack and that code appeared on the Chinese website.
Although Microsoft’s investigation has reached no conclusion, investigators are looking at whether information contained in a Feb. 23 notice to a select group of security companies may have made its way to the attackers.