‘Hack hit internal Microsoft database for tracking bugs four years ago’

An internal Microsoft database for monitoring bugs in its own software, among other things, was hacked in 2013 by a group that gained access to employees’ computers via a vulnerability.

More than a week after stories of the 2013 breach came out, Microsoft released a brief statement describing the hack as “limited” with no mention of the bug database. Five former Microsoft employees have now revealed to Reuters that information from this database also came into the hands of the hackers. Incidentally, the computers of Apple, Facebook and Twitter were also hacked in 2013 by the same group, which security researchers also refer to as Morpho, Butterfly and Wild Neutron.

The database contained descriptions of critical and unresolved bugs in commonly used software, such as the Windows operating system. Certain bugs were later used to hack other organizations and companies. According to Microsoft, there is no evidence that the stolen information was used for these hacks. However, three of the five ex-employees said it cannot be ruled out that the bugs have been used in new attacks. Microsoft probably fixed the vulnerabilities a few months after the hack; that means that the bugs at least temporarily enabled the hackers to break into other computers.

According to the five former employees of Microsoft, the bug database in question was poorly secured; it would only have required a password to access it. They state that Microsoft reported in an internal investigation that the captured bugs were being used for other hacks. But since this crucial bug information could have been obtained elsewhere, according to Microsoft, the company decided to keep quiet about it and not disclose the bug database hack. Microsoft also kept it under wraps because in many cases patches had already been released for the bugs later on.

The attack method by which the attackers managed to penetrate Microsoft’s corporate network hit the company’s Mac industry, among others. In 2013, it was previously announced that the attack was via the iPhoneDevSDK forum and mainly targeted OS X systems. Malicious JavaScript was placed on the popular forum via a hacked administrator account, which routed visitors to min.liveanalytics. There has been a Java zeroday exploit on that site since January 15, 2013.