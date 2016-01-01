(Adds Chinese Foreign Ministry comment that was omitted from an
earlier update)
By Joseph Menn
SAN FRANCISCO Dec 30 Microsoft Corp
experts concluded several years ago that Chinese authorities had
hacked into more than a thousand Hotmail email accounts,
targeting international leaders of China's Tibetan and Uighur
minorities in particular - but it decided not to tell the
victims, allowing the hackers to continue their campaign,
according to former employees of the company.
On Wednesday, after a series of requests for comment from
Reuters, Microsoft said it would change its policy and in future
tell its email customers when it suspects there has been a
government hacking attempt. Microsoft spokesman
Frank Shaw said the company was never certain of the origin of
the Hotmail attacks.
The company also confirmed for the first time that it had
not called, emailed or otherwise told the Hotmail users that
their electronic correspondence had been collected. The company
declined to say what role the exposure of the Hotmail campaign
played in its decision to make the policy shift.
The first public signal of the attacks came in May 2011,
though no direct link was immediately made with the Chinese
authorities. That's when security firm Trend Micro Inc
announced it had found an email sent to someone in Taiwan that
contained a miniature computer program.
The program took advantage of a previously undetected flaw
in Microsoft's own web pages to direct Hotmail and other free
Microsoft email services to secretly forward copies of all of a
recipient's incoming mail to an account controlled by the
attacker.
Trend Micro found more than a thousand victims, and
Microsoft patched the vulnerability before the security company
announced its findings publicly.
Microsoft also launched its own investigation that year,
finding that some interception had begun in July 2009 and had
compromised the emails of top Uighur and Tibetan leaders in
multiple countries, as well as Japanese and African diplomats,
human rights lawyers and others in sensitive positions inside
China, two former Microsoft employees said. They spoke
separately and on the condition that they not be identified.
Some of the attacks had come from a Chinese network known as
AS4808, which has been associated with major spying campaigns,
including a 2011 attack on EMC Corp's security division RSA that
U.S. intelligence officials publicly attributed to China. To see
the report click here here
Microsoft officials did not dispute that most of the attacks
came from China, but said some came from elsewhere. They did not
give further detail.
"We weighed several factors in responding to this incident,
including the fact that neither Microsoft nor the U.S.
government were able to identify the source of the attacks,
which did not come from any single country," the company said.
"We also considered the potential impact on any subsequent
investigation and ongoing measures we were taking to prevent
potential future attacks."
In announcing the new policy, Microsoft said: "As the threat
landscape has evolved our approach has too, and we'll now go
beyond notification and guidance to specify if we reasonably
believe the attacker is `state-sponsored.'"
The Chinese government "is a resolute defender of cyber
security and strongly opposes any forms of cyberattacks",
Chinese Foreign Ministry spokesman Lu Kang said, adding that it
punishes any offenders in accordance with the law.
"I must say that if the relevant party has some real and
conclusive evidence, then it can carry out mutually beneficial
cooperation with China in a constructive way in accordance with
the existing channels," Lu said at a daily news briefing.
"But if there's the frequent spreading of unfounded rumours,
it will, in fact, be of no benefit to solving the problem,
enhancing mutual trust and promoting cybersecurity."
The Cyberspace Administration of China did not respond to a
request for comment.
INTERNAL DEBATE
After a vigorous internal debate in 2011 that reached
Microsoft's top security official, Scott Charney, and its
then-general counsel and now president, Brad Smith, the company
decided not to alert the users clearly that anything was amiss,
the former employees said. Instead, it simply forced users to
pick new passwords without disclosing the reason.
The employees said it was likely the hackers by then had
footholds in some of the victims' machines and therefore saw
those new passwords being entered.
One of the reasons Microsoft executives gave internally in
2011 for not issuing explicit warnings was their fear of
angering the Chinese government, two people familiar with the
discussions said.
Microsoft's statement did not address the specific positions
advocated by Smith and Charney. A person familiar with the
executives' thinking said that fear of Chinese reprisals did
play a role given the company's concerns about the potential
impact on customers.
Microsoft said the company had believed the password resets
would be the fastest way to restore security to the accounts.
"Our primary concern was ensuring that our customers quickly
took practical steps to secure their accounts, including by
forcing a password reset," the statement said.
It is unclear what happened to the email users and their
correspondents as a result of Microsoft's failure to alert them
to the suspected government hacking. But some of those affected
said they were now deeply worried about the risks, especially
for those inside China.
"The Internet service providers and the email providers have
an ethical and a moral responsibility to let the users know that
they are being hacked," said Seyit Tumturk, vice president of
the World Uyghur Congress, whose account was among those
compromised. "We are talking in people's lives here."
HUNDREDS OF LIVES
Unrest in Xinjiang, the Chinese region bordering Kazakhstan
that is home to many Uighurs, has cost hundreds of lives in
recent years. Beijing blames Islamist militants, while human
rights groups say harsh controls on the religion and culture of
the Uighurs have led to the violence.
Until Wednesday, Microsoft had rejected the idea of explicit
warnings about state-sponsored hacking, such as those Google Inc
began in 2012, the former employees said. In the 2011
case, the company also opted not to send a more generic warning
about hacking. Yahoo Inc and Facebook Inc have
been issuing such warnings for several years, former employees
of those companies told Reuters, including when the principal
suspect was a government.
Both companies, along with Twitter Inc, announced
in recent months that they would follow Google's lead and
explicitly notify users about suspected state-sponsored hacking.
Google said on average it now issues tens of thousands of
warnings about targeting every few months, and that recipients
often move to improve their security with two-factor
authentication and other steps.
Reuters interviewed five of the Hotmail hacking victims that
were identified as part of Microsoft's investigation: two Uighur
leaders, a senior Tibetan figure and two people in the media
dealing with matters of interest to Chinese officials.
Most recalled the password resets, but none took the
procedure as an indication that anyone had read his or her
email, let alone that it may have been accessed by the Chinese
government.
"I thought it was normal, everybody gets it," said one of
the men, a Uighur émigré now living in Europe who asked not to
be named because he left family behind in China.
Another victim identified by Microsoft's internal team was
Tseten Norbu of Nepal, a former president of the Tibetan Youth
Congress, one of the more outspoken members of a community that
has frequently clashed with Chinese officials. Another
Microsoft-identified victim was Tumturk, the World Uyghur
Congress vice president who lives in Turkey.
Microsoft investigators also saw that emails had been
forwarded from the account of Peter Hickman, a former American
diplomatic officer who arranged high-profile speeches by
international figures at the National Press Club in Washington
for many years.
Hickman said he used his Hotmail account on Press Club
computers to correspond with people, including the staff for the
Tibetan government in exile, whose leader Lobsang Sangay spoke
at the club in 2011; Tumturk's World Uyghur Congress, whose
then-president Rebiya Kadeer spoke in 2009; and the president of
Taiwan, who spoke by video link-up in 2007.
Hickman said he didn't recall the password reset. He said he
never suspected anything was wrong with the account, which he
continues to use.
(Reporting by Joseph Menn; Additional reporting by Humeyra
Pamuk in Istanbul and Sui-Lee Wee in Beijing; Editing by
Jonathan Weber and Martin Howell)