Biz & IT —

Microsoft never disclosed 2013 hack of secret vulnerability database

Database contained details required to carry out highly advanced software attacks.

Microsoft in Dublin, Ireland.
Enlarge / Microsoft in Dublin, Ireland.

Hackers broke into Microsoft's secret, internal bug-tracking database and stole information related to vulnerabilities that were exploited in later attacks. But the software developer never disclosed the breach, Reuters reported, citing former company employees.

In an article published Tuesday, Reuters said Microsoft's decision not to disclose details came after an internal review concluded the exploits used in later attacks could have been discovered elsewhere. That investigation relied, in part, on automated reports Microsoft receives when its software crashes. The problem with that approach, Reuters pointed out, is that advanced computer attacks are written so carefully they rarely cause crashes.

Reuters said Microsoft discovered the database breach in early 2013, after a still-unknown hacking group broke into computers belonging to a raft of companies. Besides Microsoft, the affected companies included Apple, Facebook, and Twitter. As reported at the time, the hackers infected a website frequented by software developers with attack code that exploited a zero-day vulnerability in Oracle's Java software framework. When employees of the targeted companies visited the site, they became infected, too.

Facebook was the first company to admit its computers were compromised. A week later, Microsoft said that its employees were also infected. The software developer went on to say only that the hack affected "a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organizations. We have no evidence of customer data being affected and our investigation is ongoing."

Extremely valuable to hackers

According to Reuters reporter Joseph Menn, the hackers were able to use their access to one or more Microsoft employee computers to break into a database containing descriptions of critical and unfixed vulnerabilities in Windows and other company software. The type of technical information is extremely valuable to hackers because it provides virtually all of the details required to carry out highly advanced attacks that execute malicious code on vulnerable computers.

Menn reported:

Concerns that hackers were using stolen bugs to conduct new attacks prompted Microsoft to compare the timing of those breaches with when the flaws had entered the database and when they were patched, according to the five former employees.

These people said the study concluded that, even though the bugs in the database were used in ensuing hacking attacks, the perpetrators could have gotten the information elsewhere.

That finding helped justify Microsoft’s decision not to disclose the breach, the former employees said, and in many cases patches already had been released to its customers.

Three of the five former employees Reuters spoke with said the study could not rule out stolen bugs having been used in follow-on attacks.

"They absolutely discovered that bugs had been taken,” said one. "Whether or not those bugs were in use, I don't think they did a very thorough job of discovering."

Tuesday's report said that the top officials at both the US Homeland Security Department and the Pentagon learned of the breach only recently, when Reuters told them about it.

The 2013 breaches of Microsoft and the other three tech companies were carried out by a group alternately known as Morpho, Butterfly, Jripbot, and Wild Neutron. The group remains active, and researchers still don't know much about it. Researchers from Kaspersky Lab said here the hackers have been active since at least 2011 in attacks targeting law firms, Bitcoin-related companies, investment firms, and IT companies. In 2015, Symantec said the group had targeted at least 49 different organizations in more than 20 countries in a bid to steal intellectual property.

Channel Ars Technica