Five former employees told Reuters that Microsoft quietly dealt with a hack of its vulnerabilities and bug reports database back in 2013 without telling anyone.
The former employees say Microsoft fixed all bugs and vulnerabilities contained in the hacked database within months so that the flaws would have limited use against its users.
Microsoft also investigated breaches at third-party companies in the following period to see if any of the vulnerabilities contained within the breached database were deployed in live attacks. The company did not find any evidence.
Hack carried out by Wild Neutron APT
Reuters claims the attack was carried out by a cyber-espionage group known under various names, such as Wild Neutron, Morpho, Jripbot, Butterfly, ZeroWing, or Sphinx Moth.
These hacks came to light in February 2013. A few weeks after, Microsoft also issued a brief statement admitting a similar breach, but said the attackers had limited access to its network.
“As reported by Facebook and Apple, Microsoft can confirm that we also recently experienced a similar security intrusion,” Microsoft said, back then. “We found a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organizations. We have no evidence of customer data being affected, and our investigation is ongoing.”
The Wild Neutron attacks on Twitter and Facebook were carried out via drive-by downloads that exploited a Java zero-day (CVE-2013-0422). Attackers lured Twitter and Facebook employees on hacked forums (iphonedevsdk.com, and others) where they served an automated Java zero-day exploit.
Wild Neutron went into hiding after its operations were discovered, but returned to action in 2014 and 2015 with new attacks against a wider range of targets, as described in these reports [1, 2, 3, 4].
Mozilla chose a better way to deal with a similar incident
Microsoft is not the first company to have its vulnerabilities and bug reports database hacked. Mozilla suffered a similar incident in 2015, but the organization came clean about the attack, sharing all the available facts.
Microsoft is also not the first major company to suffer a data breach at the hands of an advanced cyber-espionage unit. In 2015, Kaspersky admitted to having been compromised by the Duqu 2.0 APT, which later turned out to be Israel’s intelligence agency gathering data on Kasperksy‘s possible involvement with the Russian government.
Bitdefender also suffered a similar data breach in 2015, but that was only a mundane hacker trying to extort the company.
After the WannaCry outbreak earlier this year, Microsoft’s Chief Legal Officer Brad Smith likened the NSA losing its cyber-weapons to the US military losing its Tomahawk missiles. Ironically, this is what appears to have happened to Microsoft in 2013, and the company kept it under wraps without even warning users of the possible danger.