Hacker Tapped Into Microsoft for 3 Months
Some of the most closely guarded secrets in technology--the underlying source code to some Microsoft software--have been penetrated over the last three months. Many experts see this as a sign of the quickening evolution of computer hacking from an underground pastime into an instrument of bold industrial espionage.
Microsoft Corp. security officials discovered the electronic break-in Wednesday after noticing that some of their employees’ passwords, with access to the company’s computer network, were being sent to an outside e-mail address. According to some reports, the information was sent to a computer address in St. Petersburg, Russia.
The unknown intruder never gained access to any major software products, such as Windows ME, Windows 2000 or Microsoft Office, the company said. Only the code from an unspecified future product was accessible and nothing was changed, the company said.
Microsoft Chief Executive Steve Ballmer said the break-in was not very damaging. “But we want to make sure it doesn’t get that way, and that’s why we called in the FBI,” he told Reuters.
The company declined to reveal what software was the target of this attack, although it was for a product at least three years from production. Among the products Microsoft is developing is the next generation of Windows, code-named Whistler, and an update to its Office suite of business software. These products are part of Microsoft’s strategy to build the Internet into all its software.
A potentially more troubling problem is the enormous amount of e-mail messages and internal documents that would have also been open to the intruder during a three-month period.
“Microsoft has a lot of material on its computers, things like contracts, shipping information and other business documents,” said Eugene H. Spafford, director of the Center for Education and Research in Information Assurance and Security at Purdue University. “If you have access to the system, you can see whatever is stored there and monitor whatever is moving along the wires.”
Just four months ago, Oracle Corp., a longtime nemesis of Microsoft, admitted it had paid a detective to go through garbage bins looking for information that could have assisted in the prosecution of the ongoing landmark Microsoft antitrust case.
“There’s no question that somebody--and not just a business rival--could have been searching for a smoking gun that would make it easier to convict Microsoft of a crime,” Spafford said. “These don’t necessarily have to be parties with a commercial interest. Hacker groups and even some governments are very unhappy with Microsoft.”
Experts say a significant breach of security at the world’s most powerful software company vividly demonstrates that computer hacking, once the province of shaggy-haired geeks, has long since evolved into a tool of Information Age espionage.
“The elan of the hacker, the adventurous culture of the hacker--we’ve moved on from all of that,” said Richard Power, editorial director of the Computer Security Institute in San Francisco. “There are corporations and governments and freelancers that are going straight into your systems, taking the secrets they want and using them [for] research and development, or to sell them.”
What has set this penetration apart from the usual hacker attacks is Microsoft’s determination that it was the victim of a more modern variant specifically seeking commercial secrets.
“We are very confident in describing this as an act of industrial espionage,” said Microsoft spokesman Dan Leach.
The extent of damage from the hacker is still uncertain and could range from minor mischief to a serious theft of company secrets.
Neither Microsoft nor the FBI has released any details about how the company’s computer system was penetrated. But one theory being discussed by security experts is that Microsoft was the victim of a relatively well-known virus that emerged out of China this summer known as the QAZ Trojan.
The QAZ virus is typically transmitted as an e-mail attachment. Once the virus is installed on a computer, it disguises itself as the standard Windows Notepad word processing program.
The virus collects passwords and then opens a “back door” route for the intruder to secretly enter the network. Once the passwords are discovered, the intruder can simply sign on to the Microsoft network like a regular employee.
The virus also spreads itself to other computers on the same network so that if it is cleaned off one computer the intruder still has many “Trojan horses” lying in wait.
Experts agreed that if Microsoft was compromised using the QAZ Trojan, it would reflect poorly on the company’s security prowess. “They might as well have no security,” said Power of the Computer Security Institute.
The QAZ virus raises the possibility that Microsoft was not the victim of a cunning industrial spy but an amateur who got lucky with a relatively well-known virus, analysts said.
Although Microsoft insists that its source code was not tampered with, any theft of these software blueprints by duplicating the file would be another matter.
“It’s not really possible to know how much damage was done. [Discovering] whether source code was removed . . . or what other type of Trojans might be lying around to be activated later--especially on a network the size of Microsoft’s--would take a long time to determine,” said John Pescatore, a security expert with the research firm Gartner Group. “Good hackers hide their tracks very well.”
If Microsoft’s source code was stolen, the commercial implications could be minor, given that Windows’ operating system is found in more than 90% of personal computers.
The software titan, however, might face a security nightmare: Sabotaged copies of Microsoft products could intentionally or accidentally be introduced by software pirates, particularly in Asia, where piracy is widespread. Or hackers could examine the code to discover as-yet-unknown security vulnerabilities that could be exploited in attacks on computers that operate on Microsoft products.
The attack on Microsoft’s network has raised yet another warning flag for other companies on the growing sophistication of hacking tools.
“Microsoft has an absolutely top-notch security team,” said Amit Yoran, chief executive of RipTech, a security firm in Alexandria, Va., and a former security chief for the Defense Department. “If indeed [hackers had access for] three months, that would be a grave concern . . . . It would suggest that companies with fewer security resources would be at even greater risk.”
Power, whose Computer Security Institute conducts an annual security survey of large corporations and public agencies with the FBI, said that 20% of respondents lost proprietary data from hacking last year--an estimated $66 million worth of damage.
That estimate may be conservative, experts say, because corporations rarely report successful hacks; they fear adverse publicity or the prospect of becoming a popular target.
“I know of numerous cases in which software vendors, including security software vendors, have been hacked and their source code has been compromised, but it never came to light,” Power said.
Bruce Schneier, author of “Secrets and Lies,” a book about network security, said the quickly rising sophistication of hackers will only mean more breaches in the future.
“The surprising thing is not that Microsoft got whacked but that they discovered it at all,” Schneier said.
