Microsoft ‘Did Not Disclose 2013 Breach Of Bug Database’

A 2013 breach of Microsoft’s internal systems was more extensive than the company admitted at the time, giving hackers access to a secret repository of software bugs that could have been used to hack into the systems of other users or organisations, according to a report.

In February 2013 Microsoft acknowledged it had been hacked by a secretive group that had also targeted companies including Apple, Facebook and Twitter, but it described the incident only as affecting a “small number of computers” and as not having affected customer data.

Bug database breached

“We found a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organisations,” Microsoft said at the time. “We have no evidence of customer data being affected, and our investigation is ongoing.”

The company didn’t disclose the fact that the hackers had accessed Microsoft’s internal database of unfixed security vulnerabilities in software including Windows, according to Reuters, which cited five unnamed former employees describing the incident in separate interviews.

The report is embarassing for Microsoft, which last year criticised the US’ National Security Administration (NSA) for “hoarding” secret vulnerabilities so that it could use them to infiltrate computer systems.

The NSA bugs and code used to exploit them were published hackers earlier this year, after which they were used to spread the widely disruptive WannaCry and NotPetya malware in May and June.

In May Microsoft president Brad Smith said the NSA was to blame for “the damage to civilians that comes from hoarding these vulnerabilities”.

Quiet investigation

Following the 2013 hack Microsoft investigated to determine whether the hackers who had accessed its systems had used the vulnerabilities in its database to carry out any hacks on third parties, the former Microsoft employees said.

They determined that while those bugs had in fact been used to carry out attacks, the hackers involved could have learned of the vulnerabilities from elsewhere – there was no evidence linking the other attacks to the Microsoft breach.

Microsoft used the findings internally to justify its decision not to disclose that its bug database had been hacked, the former employees said.

But three of the five former staff argued Microsoft’s investigation was based in insufficient information, citing its reliance on automated bug reports that aren’t generated by sensitive systems.

“They absolutely discovered that bugs had been taken,” one former employee told Reuters. “Whether or not those bugs were in use, I don’t think they did a very thorough job of discovering.”

Two current, unnamed staff interviewed for the report said Microsoft continues to stand by the investigation’s conclusions. Microsoft declined to discuss the incident.

‘Powerful threat actor’

After the incident Microsoft strengthened security around the bug database, separating it from the main corporate network and using stronger authentication, the former employees said.

“Our security teams actively monitor cyber threats to help us prioritize and take appropriate action to keep customers protected,” Microsoft said in a statement.

Little is known about the hacking group behind the 2013 breaches, known to different investigating teams as Morpho, Butterfly and Wild Neutron, but Kaspersky Lab estimates it has been active since at least 2011.

Kaspersky describes the group as a “powerful threat actor” that is “engaged in espionage, possibly for economic reasons”.

The 2013 attacks involved luring company staff to forum websites that had been hacked, where they were exposed to an automated Java exploit that wasn’t known to security firms or developers at the time.

The hackers then moved from the infected employee systems to others on their corporate networks.

Mozilla, developer of the Firefox browser, also had its bug database hacked in 2015, but provided extensive details about the incident and advised users to apply patches.

Do you know all about security in 2017? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Ericsson To Cut 1,200 Jobs in Sweden Amid ‘Challenging’ Market

Swedish telecoms giant Ericsson blamed “challenging mobile networks market” and “further volume contraction” for job…

7 hours ago

FTX’s Sam Bankman-Fried Sentenced To 25 Years In Prison For $8bn Fraud

Dramatic downfall. Sam Bankman-Fried sentenced to 25 years in prison for masterminding $8bn fraud that…

8 hours ago

Elon Musk Orders FSD Demo For Every Tesla US Sale

Fallout avoidance? Tesla buyers in the US must be shown how to use the FSD…

9 hours ago

Amazon Pumps Another $2.75 Billion Into Anthropic

Amazon completes its $4bn investment into AI firm Anthropic, after providing an additional $2.75bn in…

11 hours ago

The Sustainability of AI

While AI promises unparalleled efficiency, productivity, and innovation, questions regarding its environmental impact loom large.…

14 hours ago

Trump’s Truth Social Makes Successful Market Debut

Shares in Donald Trump’s social media company rose about 16 percent after first day of…

14 hours ago