For many years, Microsoft has operated a website called TechNet, where IT professionals can download technical materials on Microsoft’s products and get help troubleshooting problems.
On Wednesday, security company FireEye revealed that hackers had infiltrated TechNet in an ingenious way, to operate one of their illegal networks, called a botnet.
These hackers did not break into TechNet’s security. Instead they setup ordinary user profiles on TechNet, then stuffed those profiles with malware. They went to forum pages and dropped malware there, too. FireEye called it “hiding in plain sight.”
This wasn’t so much a tactic to hack IT professionals who visited TechNet, as it was to hide their nefarious activities from the botnet hunters trying to shut them down, FireEye reported.
It allowed the hackers to secretly run their botnet, FireEye says, because a victim’s anti-virus software thought the illicit traffic was coming from a safe Microsoft site.
It also made it harder for network security professionals to find the actual botnet servers.
And herein lies the embarrassment for Microsoft: Microsoft famously operates a botnet hunting group, The Digital Crime unit, that has worked with the FBI and officials in 80 countries, to take down some of the largest, most dangerous botnets in the world.
This was an in-your-face to Microsoft from the hackers.
FireEye and Microsoft found a way to turn the tables. They injected tracking code into the hacker’s malware to trace the botnet servers.
FireEye identified them as the Chinese hackers APT17, also nicknamed Deputy Dog, who have attacked targets like the U.S. government, international law firms and other big tech companies.
FireEye says there’s a happy ending. It has updated its security software to stop this technique and has shared software on Github that lets web developers identify this kind of attack, too. Microsoft has also updated its security software.
There’s another wrinkle to all of this. FireEye’s technology helps detect what’s known as “advanced persistent threats” (APT) which means that hackers are deliberately targeting one organisation which is very hard to stop. (That’s in contrast to hackers randomly trolling the internet looking to infect computers.)
Last month, Microsoft took a big step as a competitor in FireEye’s eyes by announcing its own APT security tool. It will initially work only with Microsoft’s ActiveDirectory technology, the tool that IT pros use to set up employee accounts with passwords and such.