In the incident, which Microsoft described at the time as limited, hackers reportedly accessed the company’s internal database of unfixed software flaws
A 2013 breach of Microsoft’s internal systems was more extensive than the company admitted at the time, giving hackers access to a secret repository of software bugs that could have been used to hack into the systems of other users or organisations, according to a report.
In February 2013 Microsoft acknowledged it had been hacked by a secretive group that had also targeted companies including Apple, Facebook and Twitter, but it described the incident only as affecting a “small number of computers” and as not having affected customer data.
Bug database breached
“We found a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organisations,” Microsoft said at the time. “We have no evidence of customer data being affected, and our investigation is ongoing.”
The company didn’t disclose the fact that the hackers had accessed Microsoft’s internal database of unfixed security vulnerabilities in software including Windows, according to Reuters, which cited five unnamed former employees describing the incident in separate interviews.
The report is embarassing for Microsoft, which last year criticised the US’ National Security Administration (NSA) for “hoarding” secret vulnerabilities so that it could use them to infiltrate computer systems.
The NSA bugs and code used to exploit them were published hackers earlier this year, after which they were used to spread the widely disruptive WannaCry and NotPetya malware in May and June.
In May Microsoft president Brad Smith said the NSA was to blame for “the damage to civilians that comes from hoarding these vulnerabilities”.
Following the 2013 hack Microsoft investigated to determine whether the hackers who had accessed its systems had used the vulnerabilities in its database to carry out any hacks on third parties, the former Microsoft employees said.
They determined that while those bugs had in fact been used to carry out attacks, the hackers involved could have learned of the vulnerabilities from elsewhere – there was no evidence linking the other attacks to the Microsoft breach.
Microsoft used the findings internally to justify its decision not to disclose that its bug database had been hacked, the former employees said.
But three of the five former staff argued Microsoft’s investigation was based in insufficient information, citing its reliance on automated bug reports that aren’t generated by sensitive systems.
“They absolutely discovered that bugs had been taken,” one former employee told Reuters. “Whether or not those bugs were in use, I don’t think they did a very thorough job of discovering.”
Two current, unnamed staff interviewed for the report said Microsoft continues to stand by the investigation’s conclusions. Microsoft declined to discuss the incident.
‘Powerful threat actor’
After the incident Microsoft strengthened security around the bug database, separating it from the main corporate network and using stronger authentication, the former employees said.
“Our security teams actively monitor cyber threats to help us prioritize and take appropriate action to keep customers protected,” Microsoft said in a statement.
Little is known about the hacking group behind the 2013 breaches, known to different investigating teams as Morpho, Butterfly and Wild Neutron, but Kaspersky Lab estimates it has been active since at least 2011.
Kaspersky describes the group as a “powerful threat actor” that is “engaged in espionage, possibly for economic reasons”.
The 2013 attacks involved luring company staff to forum websites that had been hacked, where they were exposed to an automated Java exploit that wasn’t known to security firms or developers at the time.
The hackers then moved from the infected employee systems to others on their corporate networks.
Mozilla, developer of the Firefox browser, also had its bug database hacked in 2015, but provided extensive details about the incident and advised users to apply patches.
Do you know all about security in 2017? Try our quiz!