After many years, Microsoft finally concluded that Chinese authorities indeed hacked thousands of Hotmail accounts, belonging to China’s Tibetan and Uyghur minorities, but at the time did not warn the users, allowing the victims to be in the dark about the matter.
Former Microsoft employees provided this information and to comment Microsoft side, Microsoft spokesman Frank Shaw said that policies will change, to allow victims to be warned in case of a hack, and that Microsoft was never sure about the source of the Hotmail attacks.
Microsoft confirmed that at the time, did not warn their Hotmail users about the issue. The company declined to say if this problem had some influence on the decision to change to policy to warn users.
This problem was traced back to 2011 when Trend Micro announced it had found emails sent from Taiwan containing a miniature computer program, but at the time, it wasn’t linked to Chinese authorities.
To be able to hack Hotmail users, the Chinese authorities explored an undetected flaw in Microsoft page, to “secretly forward copies of all of a recipient’s incoming mail to an account controlled by the attacker.”
When the flaw went public by Trend Micro, Microsoft had already patched the vulnerability.
At the same time, Microsoft started their own investigation, concluding that some of Hotmail accounts have been intercepted since July 2009, these email accounts included Uyghur and Tibetan leaders from multiple countries, as well as Japanese and African diplomats, human rights lawyers and others in sensitive positions inside China, said former Microsoft employees.
Some of the attacks were communing from AS4808, a Chinese network normally associated with spying campaigns.
Microsoft doesn’t deny that the majority of the attacks are coming from China, but add that some of them were coming from another place, but didn’t give details.
“We weighed several factors in responding to this incident, including the fact that neither Microsoft nor the U.S. government were able to identify the source of the attacks, which did not come from any single country,” the company said. “We also considered the potential impact on any subsequent investigation and ongoing measures we were taking to prevent potential future attacks.”
Microsoft also talked about their new policy, “As the threat landscape has evolved our approach has too, and we’ll now go beyond notification and guidance to specify if we reasonably believe the attacker is `state-sponsored.”
From the Chinese government side, Chinese Foreign Ministry spokesman Lu Kang said China “is a resolute defender of cyber security and strongly opposes any forms of cyber attacks” and that any offender will be punished according to the law. He added,
“I must say that if the relevant party has some real and conclusive evidence, then it can carry out mutually beneficial cooperation with China in a constructive way in accordance with the existing channels”, “But if there’s the frequent spreading of unfounded rumors, it will, in fact, be of no benefit to solving the problem, enhancing mutual trust and promoting cyber security.”
Concluding, I think it is important that Microsoft and other companies are changing their policies to protect their users from attacks, but it’s sad that this happens only after things like this happen and come to public. It would be good if companies could be more transparent in their processes.
About the Author Elsio Pinto
(Security Affairs – Chinese hackers, Tibetan)