Microsoft says it tracked intruder for 12 days

Microsoft Corp. now claims its information technology security managers knew that a hacker was combing through the company’s computer network for a 12-day period this month. But the software vendor allowed the invasion to continue in an apparent effort to increase its chances of identifying the culprit.

In a statement released late Friday, nearly 24 hours after the attack first came to light, Microsoft said its IT security staff “became aware of the illegal activity shortly after it first occurred and tracked the hacker’s attempts to expand his unauthorized access to our network over a 12-day period from Oct. 14 to Oct. 25.”

The incident was finally reported to the FBI last Thursday, prompting the agency to launch an investigation into the matter. On several occasions this year, Attorney General Janet Reno and other federal law enforcement officials have urged companies targeted by such attacks to report the incursions so they can be investigated.

Russ Cooper, a security specialist at TruSecure Services in Reston, Va., said it’s not uncommon for a company in Microsoft’s position to detect an attack and then watch carefully to see what the intruder is trying to do so he can be identified and apprehended. If the attacker is immediately shut out of the system upon detection, Cooper said, prosecution essentially becomes impossible.

But Eric Hemmendinger, a security analyst at Aberdeen Group Inc. in Boston, said he disagreed with that view of the situation at Microsoft. “The notion that they followed this [intruder] around for 12 days because they were doing so to find out how this was all going on stretches the bounds of credibility,” Hemmendinger said. “There was a time when people believed the world was flat. We got past that.”

When attackers are allowed to continue with their intrusions after first being detected, Hemmendinger noted, it’s typically done on a temporary basis. But once a hacker even begins to approach access to source code, he added, “then I can’t imagine too many people who would say, ‘Yep, it’s OK to let this persist.'”

Also adding to his skepticism is Microsoft’s decision to bring in the FBI, Hemmendinger said. “When you call in the FBI, you’re bringing in what you hope are big guns,” he said. “To say that they called in the FBI, but that nothing was touched here of substance, is just real hard to believe.”

Graham Cluley, a security expert at U.K.-based security software vendor Sophos PLC, said he agreed that allowing the intruder to move about inside Microsoft’s computer network for 12 days was an unusual move. “That’s a rather dangerous, dodgy thing to do,” he said, because the company couldn’t be sure of the intruder’s capabilities or intentions.

A Microsoft spokesman declined to elaborate on the matter this morning. In the statement released late Friday, the company reiterated an earlier announcement that it has: “found no evidence that the source code for current versions of key products such as Windows or Office had been accessed by the attacker.”

The intruder may have viewed source code “for a single future product under development,” the company acknowledged. But an internal investigation “has confirmed that [the source code] has not been modified or corrupted in any way,” Microsoft said. “We have no evidence to suggest that the hacker gained any other access to any other source code.”