Microsoft Corp. may revise a program that shares coding flaws in its products with other companies after a suspected leak led to a sprawling cyber-attack against thousands of Microsoft Exchange email clients globally.
The technology giant is weighing how and when to share data with at least some of the 81 participants in the Microsoft Active Protections Program, according to six people familiar with it including existing members who sought anonymity citing a Microsoft non-disclosure agreement. The others requested anonymity because they aren’t authorized to discuss the matter publicly.
MAPP grants some customers information about vulnerabilities in Microsoft’s products and services days or weeks ahead of public disclosure. It is widely regarded by participants as a critical data-sharing tool to defend against potential attacks.
However, Microsoft fears MAPP participants may have tipped off hackers after the company shared a critical vulnerability with its top tier of members around Feb. 18, according to four people familiar with Microsoft’s investigation into the cause of the attack. Microsoft publicly released software updates to patch the problem on March 2.
The company’s inquiry has focused on at least two Chinese companies as possible sources of the leak, according to the people familiar with the probe. Four MAPP participants told Bloomberg News they’d recently disclosed detailed logs of network activity to Microsoft since the Exchange attack. In some cases, companies volunteered the data unprompted, while in others Microsoft requested additional data. The companies asked to remain anonymous, citing their non-disclosure agreement with Microsoft.
Microsoft’s vulnerability disclosure in late February was followed by one of the most efficient, wide-ranging cyber-attacks in history. Microsoft has blamed state-sponsored Chinese hackers, dubbed Hafnium, for the attack which compromised more than 60,000 government, corporate and private email systems around the world, much of which occurred over the last weekend in February.
Microsoft declined to comment on potential changes to MAPP, nor would the company discuss its MAPP disclosures in February or possible leaks by participants. The company said it remained committed to the program and its wide-ranging list of members from the U.S., Israel, Russia, China, Japan, Australia, India and parts of Europe.
“We believe there are many benefits to mutual information sharing with the security community to help protect our mutual customers against attacks,” the company said in a statement. “We continue to evaluate how to best balance the benefits of this sharing with the risk of early disclosures.”
In response to queries from Bloomberg News, China’s Ministry of Foreign Affairs stated, “China resolutely opposes any form of online attacks or infiltration. This is our clear and consistent stance. Relevant Chinese laws on data collection and handling clearly safeguards data security and strongly oppose cyber-attacks and other criminal activity.”
China has proposed a global security standard which it says is “for the benefit of international digital governance” and urged others to work with it to safeguard global data security. “We hope the media adopts a professional and responsible attitude, relying on comprehensive evidence when determining the nature of cyberspace events, but not groundless speculation,” according to the ministry’s statement.