A bombshell was dropped on the cybersecurity world this morning by news agency Reuters. According to their exclusive report, anonymous Microsoft Corporation whistleblowers reveal the software giant’s secret database of bugs and flaws was raided by a sophisticated hack attack in 2013.
Critical and wide open holes in some of the worlds most popular products, including the Windows OS, were exposed for months until Microsoft engineers detected the breach and patched the vulnerability. For the past four years, Microsoft has kept the intrusion totally top secret from customers, the industry, and government security agencies.
Five employees who used to work for the corporation say the infiltration is only the second of its kind ever detected where a software maker’s database for tracking bugs and errors was targeted. Complete descriptions and details of dangerous code mistakes that affect all of Microsoft’s products, used every day and all across the globe, are one of the sweetest prizes a government spy or malicious hacker could ever hope for. The database is a virtual cookbook of recipes for system back doors and exploits.
Early in 2013, a “highly skilled hacking group” successfully targeted the cream of the crop tech companies. Apple, Facebook, and Twitter reported incidents where intruders used a bug in Java that allowed remote access to Apple Macintosh computers. From there, it was easy for hackers to access corporate networks.
Security researchers can’t even agree on a name for the exclusive group. Wild Neutron, Morpho, and Butterfly are believed to be aliases for one industrious and mysterious team that experts aren’t sure is or isn’t a government. If it is a foreign nation, they have no idea which one.
A week after news of the attacks came out, Microsoft admitted they too had been targeted. “As reported by Facebook and Apple, Microsoft can confirm that we also recently experienced a similar security intrusion,” the company’s February 22, 2013, statement read. “We found a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organizations. We have no evidence of customer data being affected, and our investigation is ongoing.”
The statement intentionally downplayed the break-in as limited and made no mention that the bug tracking data was stolen. Behind the scenes, it was total panic. Former cybersecurity expert at Homeland Security, Mark Weatherford, says access to accurate bug reports gives you the “keys to the kingdom.” He also had no knowledge of what happened at the time.
Weatherford points out while most companies have airtight security around their intellectual property, flaw data isn’t as protected. “Your bug repository should be equally important,” he warns. The Microsoft database was secured with only a password. After the attack, the database has been isolated from the rest of the network and now requires two passwords.
In the months between the attack and the fix, engineers were terrified that the hackers would exploit the knowledge to invade the networks of other corporations or even governments. According to Eric Rosenbach, “bad guys with inside access to that information would literally have a ‘skeleton key’ for hundreds of millions of computers around the world.” Rosenbach was deputy assistant secretary of cyber defense at the time the incident happened, and never heard a word about it.
When Microsoft learned of the strike, they analyzed breaches from other companies that had been reported, looking for signs the bug data was being put to use. None of the five anonymous workers are aware of anything that would point to the leak being used to attack elsewhere but three of them claim the review was not thorough enough to be conclusive.
Microsoft executives were comfortable it was conclusive enough to justify keeping quiet about the extent of the damage. Patches were already applied and after all, the hackers could have found the same information somewhere else just as easily. “They absolutely discovered that bugs had been taken,” claims one source. “Whether or not those bugs were in use, I don’t think they did a very thorough job of discovering.”
Having access to holes in the worlds most popular operating system is almost as good to sophisticated cyber-warriors as the toolbox of NSA goodies looted earlier this year. NSA exploits were used to create the “WannaCry” ransomware that crippled the globe. Microsoft’s President, Brad Smith compared that breach as like, “the U.S. military having some of its Tomahawk missiles stolen.” Hypocritically, he said at the time, keeping these things quiet is bad because of “the damage to civilians that comes from hoarding these vulnerabilities.”
Responding to an email from Reuters, Microsoft states, “Our security teams actively monitor cyber threats to help us prioritize and take appropriate action to keep customers protected.”