The investigation centers in part on the question of how a stealthy attack that began in early January picked up steam in the week before the company was able to send a software fix to customers. In that time, a handful of China-linked hacking groups obtained the tools that allowed them to launch wide-ranging cyberattacks that have now infected computers all over the world running Microsofts Exchange email software.Some of the tools used in the second wave of the attack, which is believed to have begun Feb. 28, bear similarities to proof-of-concept attack code that Microsoft distributed to antivirus companies and other security partners Feb. 23, investigators at security companies say. Microsoft had planned to release its security fixes two weeks later, on March 9, but after the second wave began it pushed out the patches a week early, on March 2, according to researchers.

One focus of the investigation has been an information-sharing program called the Microsoft Active Protections Program, which was created in 2008 to give security companies a head start in detecting emerging threats. Mapp includes about 80 security companies world-wide, about 10 of which are based in China. A subset of the Mapp partners were sent the Feb. 23 Microsoft notification, which included the proof-of-concept code, according to sources familiar with the program. A Microsoft spokesman declined to say whether any Chinese companies were included in this release.

WSJ Pro Cybersecurity

Cybersecurity news, analysis and insights from WSJ’s global team of reporters and editors.

How the hackers obtained the tools is important to Microsoft and others scrambling to assess the damage of the historically large cyberattack, which has allowed other hacking groups to capitalize on the vulnerabilities for their own purposes. Microsoft said this week it had spotted ransomware, or malicious software that locks up its victims computers until they pay the hackers, being used to target networks that hadnt yet been patched. Because many of the targeted organizations are small businesses, schools and local governments, security experts said they could be especially exposed to debilitating attacks.

Senior Biden administration officials have described the problem in dire terms over the past week, urging organizations to immediately patch their systems. No federal systems are currently known to have been compromised, though officials are still probing possible agency exposure. President Biden has been briefed about the hack and the administration has created an interagency cybersecurity coordination group focused on the hack, a National Security Council spokeswoman said.

Microsoft said there would be consequences if the Mapp partnership had been abused. If it turns out that a Mapp partner was the source of a leak, they would face consequences for breaking the terms of participation in the program, a Microsoft spokesman said via email.

In 2012, Microsoft ejected a Chinese company, Hangzhou DPTech Technologies Co., Ltd, from Mapp after determining that it had leaked proof-of-concept code that could be used in an attack and that code appeared on a Chinese website.

Write to Robert McMillan at [email protected] and Dustin Volz at [email protected]

Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8