Hackers exploited Word flaw for months before Microsoft issued patch

Attacks begin

It is unclear how the unknown hackers initially found Hanson's bug. It could have been through simultaneous discovery, a leak in the patching process, or even hacking against Optiv or Microsoft.

In January, as Microsoft worked on a solution, the attacks began.

The first known victims were sent emails enticing them to click on a link to documents in Russian about military issues in Russia and areas held by Russian-backed rebels in eastern Ukraine, researchers said. Their computers were then infected with eavesdropping software made by Gamma Group, a private company that sells to agencies of many governments.

The best guess of cyber security experts is that one of Gamma's customers was trying to get inside the computers of soldiers or political figures in Ukraine or Russia; either of those countries, or any of their neighbours or allies, could have been responsible. Such government espionage is routine.

The initial attacks were carefully aimed at a small number of targets and so stayed below the radar. But in March, security researchers at FireEye noticed that a notorious piece of financial hacking software known as Latenbot was being distributed using the same Microsoft bug.

FireEye probed further, found the earlier Russian-language attacks, and warned Microsoft. The company, which confirmed it was first warned of active attacks in March, got on track for an 11 April patch.

Then, what counts as disaster in the world of bug-fixers struck. Another security firm, McAfee, saw some attacks using the Microsoft Word flaw on 6 April.

After what it described as "quick but in-depth research," it established that the flaw had not been patched, contacted Microsoft, and then blogged about its discovery on 7 April.

The blog post contained enough detail that other hackers could mimic the attacks.

Other software security professionals were aghast that McAfee did not wait, as Optiv and FireEye were doing, until the patch came out.

McAfee vice president Vincent Weafer blamed "a glitch in our communications with our partner Microsoft" for the timing. He did not elaborate.

By 9 April, a programme to exploit the flaw was on sale on underground markets for criminal hackers, said FireEye researcher John Hultquist.

The next day, attacks were mainstream. Someone used it to send documents booby-trapped with Dridex banking-fraud software to millions of computers in Australia.

Finally, on the Tuesday, about six months after hearing from Hanson, Microsoft made the patch available. As always, some computer owners are lagging behind and have not installed it.

Ben-Gurion University employees in Israel were hacked, after the patch, by attackers linked to Iran who took over their email accounts and sent infected documents to their contacts at technology companies and medical professionals, said Michael Gorelick, vice president of cyber security firm Morphisec.

When Microsoft patched, it thanked Hanson, a FireEye researcher and its own staff.

A six-month delay is bad but not unheard of, said Marten Mickos, chief executive of HackerOne, which coordinates patching efforts between researchers and vendors.

"Normal fixing times are a matter of weeks," Mickos said.

Privately-held Optiv said through a spokeswoman that it usually gives vendors 45 days to make fixes before publishing research when appropriate, and that it "materially followed" that practice in this case.

Optiv is now comparing the details of what Hanson told Microsoft with what the spies and criminals used in the wild, trying to find out if the researcher's work was partly responsible for the worldwide hacking spree, the spokeswoman said.

The spree included one or more people who created a hacking tool for what FireEye's Hultquist said is probably a national government - and then appearing to double-dip by also selling it to a criminal group.

If the patching took time, others who learned of the flaw moved quickly.

On the final weekend before the patch, the criminals could have sold it along to the Dridex hackers, or the original makers could have cashed in a third time, Hultquist said, effectively staging a last clearance sale before it lost peak effectiveness.

It is unclear how many people were ultimately infected or how much money was stolen.

(Reporting by Joseph Menn; Editing by Jonathan Weber and Grant McCool)