Hours before our interview at Microsoft headquarters in Redmond, north of Seattle, Tom Burt sent Kiev two new alerts about impending cyberattacks. It’s routine for this calm sixty-something who has managed the protection of Ukraine since the start of the war. Several times a week, its teams report to Ukrainian specialists that a group of Russian hackers is prowling around a sensitive installation.
The attackers are still known. An internal nomenclature has even given them the names of the main chemical elements: Nobelium targets, for example, the universities, Seaborgium the intelligence services, Bromine the energy sector. At the moment, it is the Iridium group that is attracting all the attention because it essentially targets critical infrastructures: power plants, public services, etc. “All these attacks are synchronized with classic military means, explains Tom Burt. When a hydroelectric dam is bombed, we immediately see a cyber attack on the water distribution system. We are indeed in a hybrid war with its three components: conventional weapons, cyber means and propaganda.
The Iridium group on the attack
On February 23, in the twenty-four hours preceding the Russian invasion, Microsoft teams detected 200 movements against Ukrainian computer networks, both government and private. “All were from Iridium, the most advanced group in the deployment of malware the most destructive. They were the ones behind NotPetya.” This virus, injected in June 2017 by hackers working for the Army Intelligence Service (GRU) has infected hundreds of thousands of computers around the world, targeting multinationals through of a devastating ransomware, whose creators have lost control, to the point of returning, like a boomerang, to the oil group Rosneft… The Iridium group seems to have made some progress in the precision of what has become a weapon of war: “Today it still comes in the form of a ransomwareexcept that it no longer offers the possibility of paying, it directly erases everything it finds, this is called a wiper”summarizes Tom Burt.
Entered twenty-seven years ago at Microsoft, Burt is in charge of all the security of the group. He oversees a network of 8,500 engineers, data scientists, geopolitical analysts, lawyers, spread over 77 countries. In the offices we speak Russian, Farsi, Korean. Above all, they all watch over the 1.4 billion people and the million businesses using Windows.
In the early hours of the attack on Ukraine, the Security & Trust teams opened an encrypted communication channel with the Ukrainian government in order to send them all the necessary information as quickly as possible: type of virus, intensity, mode of propagation and detection means. Above all, it was necessary to inform the Ukrainians in real time about the progress of the attacks: either the malware was at the gates of a Ukrainian network, or he had already penetrated it; in any case, it was necessary to act very quickly: divert the incoming traffic, produce “patches” – software patches -, isolate the contaminated zones, save the data still intact. Guaranteed adrenaline for the hundreds of people called into Redmond crisis rooms or working remotely.
Global cloud emergency migration
In the week following the offensive, Volodymyr Zelensky signed a decree authorizing the Ukrainian government to transfer all of its data to the cloud, which had previously been prohibited for issues of national sovereignty. It must be said that the Ukrainian president was spurred on by the first volley of Russian missiles which had narrowly missed the main data center in kyiv. Given the anteriority of the relationship, it was Microsoft who took charge of the transfer to its giant cloud distributed all over the planet. This last characteristic is essential for a State at war, believes the head of Microsoft security: “The proof is that if you keep essential data on your territory, all attackers, whether they are classic cybercriminals or of aggressor states, know where to go to hit with bombs or computer viruses. But if your data is with a hyperscaler [NDLR : l’un des trois géants du secteur] present on several continents, not only will the attacker not know where your data is stored, but if he attacks it, it becomes a case of the geopolitical extension of the conflict.”
With more than 60 data centers around the world connected by private links, Microsoft is well equipped. By the way, what does the Ukrainian conflict bring to the world’s leading software supplier? This is out of pocket, says Tom Burt: “We offered the technical costs of transfer and hosting. This free support will be extended until the end of next year. For now, the technical and human effort provided by Microsoft to Ukraine amounts to 400 million dollars and that is without counting the time spent by our cyber defense teams…”
Microsoft, geopolitical lever of the United States
At this stage, two reflections are necessary: one, by its size and its planetary scope, a company like Microsoft (in the same way as Google, or Amazon Web Services), becomes a geopolitical component in its own right. It is moreover an element integrated by the American executive; In the early hours of the Russian attack, Anne Neuberger, the White House deputy national security adviser for cyber, called Tom Burt to request that Microsoft share technical data from the attacks with the Baltics, Poland and other countries. other EU members that may be targeted by Russian cyberattacks.
Tom Burt, Head of Ukraine Data Protection at Microsoft
The US government also relies on Microsoft on an essential point of cybersecurity, which is the attribution of attacks. Beyond mere public denunciation – naming and shaming – these identification capacities, which have increased over the past five years, make it possible to feed the judicial apparatus of the United States, whose arm is notoriously long.
Two, assistance of this magnitude becomes a powerful vehicle for soft-power for this country which, thanks to giant companies able to protect global computer networks, is increasingly becoming a guarantor of global security. With just one big pebble in the shoe: China.
The specter of a Sino-American confrontation
The question was posed to Tom Burt: what would Microsoft’s posture be if the United States were opposed to the Middle Kingdom in a confrontation around Taiwan? After all, Windows enjoys a 74% market share in mainland China, which could give Microsoft a strong ability to harm the Chinese private sector. Categorical answer: no question of going to the offensive side of the force. Never. And other sources confirm that it is the job of the National Security Agency, which if necessary will join forces with the British GCHQ, the Israeli Unit 8200 or the French DGSE, depending on the missions and objectives.
But the Seattle company is uncomfortable on the Chinese subject. Admittedly, the groups of attackers all working for the army are duly listed in the famous table of chemical components: in this case, they are called Radium, Nickel, or Gallium depending on the type of target usually targeted. But the concern comes from the Chinese capacities in the field of artificial intelligence which will allow attacks much more devastating than a wiper Russian. And there’s also what looks like preparations: “We see them building huge databases of zero days”.
A zero day is what is most feared in cyberattacks; these are new vulnerabilities, undocumented, and not yet exploited by hackers, a bit like a virus against which there is not yet a vaccine – this type of pirate code sells for half a million dollars on the dark web. “I think in the case of hybrid warfare, we would see China massively using these zero days. If Taiwan were to be attacked, we would do our best to defend them, but I cannot guarantee that we could do as currently [NDLR : avec l’Ukraine]. Having to provide comparable assistance simultaneously on several geographical fronts would put us in a very difficult situation.”