Microsoft says Chinese hackers used code flaw to steal e-mails from US agencies
Sign up now: Get ST's newsletters delivered to your inbox
Hackers used a misappropriated company key to take advantage of “a validation error in Microsoft code”.
PHOTO: REUTERS
Follow topic:
WASHINGTON - Microsoft said on Friday that Chinese hackers misappropriated one of its digital keys and used a flaw in the company’s code to steal e-mails from United States government agencies
The company said in a blog post that the hackers were able to use the key – acquired under undisclosed circumstances – and take advantage of “a validation error in Microsoft code” to carry out their cyber-espionage campaign.
The blog provided the most fulsome explanation yet for a hack that rattled both the cyber-security industry and China-US relations.
Beijing has denied any involvement in the spying.
Microsoft and US officials said on Wednesday night that Chinese state-linked hackers had since May been secretly accessing e-mail accounts at around 25 organisations.
US officials said these organisations included at least two government agencies: the State and Commerce Departments.
US Secretary of State Antony Blinken told China’s top diplomat Wang Yi in a meeting in Jakarta
Microsoft’s blog post did not explain how the hackers got their hands on one of the company’s digital keys, leading some experts to speculate that Microsoft itself had been hacked ahead of the thefts.
The company did not immediately respond to questions about the key.
The breach has thrown Microsoft’s security practices under scrutiny, with officials and lawmakers calling on the Redmond, Washington-based company to make its top level of digital auditing, also called logging, available to all its customers free of charge.
Microsoft said in a statement late on Thursday that it was taking the criticism on board.
“We are evaluating feedback and are open to other models,” the company said, adding that it was “actively engaged” with US officials on the matter. REUTERS
