Inside the Microsoft team tracking the world’s most dangerous hackers

Conceptual - Ms Tech / source imagery: Unsplash, Wikimedia commons

Inside the Microsoft team tracking the world’s most dangerous hackers
MIT Technology Review, November 6, 2019
by Patrick Howell O’Neill

“From Russian Olympic cyberattacks to billion-dollar North Korean malware, how one tech giant monitors nation-sponsored hackers everywhere on earth.”


When the Pentagon recently awarded Microsoft a $10 billion contract to transform and host the US military’s cloud computing systems, the mountain of money came with an implicit challenge: Can Microsoft keep the Pentagon’s systems secure against some of the most well-resourced, persistent, and sophisticated hackers on earth?


“They’re under assault every hour of the day,” says James Lewis, vice president at the Center for Strategic and International Studies.


Microsoft’s latest win over cloud rival Amazon for the ultra-lucrative military contract means that an intelligence-gathering apparatus among the most important in the world is based in the woods outside Seattle. These kinds of national security responsibilities once sat almost exclusively in Washington, DC. Now in this corner of Washington state, dozens of engineers and intelligence analysts are dedicated to watching and stopping the government-sponsored hackers proliferating around the world.


Members of the so-called MSTIC (Microsoft Threat Intelligence Center) team are threat-focused: one group is responsible for Russian hackers code-named Strontium, another watches North Korean hackers code-named Zinc, and yet another tracks Iranian hackers code-named Holmium. MSTIC tracks over 70 code-named government-sponsored threat groups and many more that are unnamed.


The rain started just before I arrived on a typical fall day in Redmond, Washington. It kept coming down for my entire visit. Microsoft headquarters is as vast and labyrinthine as any government installation, with hundreds of buildings and thousands of employees. I’d come to meet the Microsoft team that tracks the world’s most dangerous hackers.

Offense and defense

John Lambert has been at Microsoft since 2000, when a new cybersecurity reality was first setting in both in Washington, DC, and at Microsoft’s Washington state headquarters.


Microsoft, then a singularly powerful company that monopolized PC software, had only relatively recently realized the importance of the internet. With Windows XP having conquered the world while remaining shockingly insecure, the team witnessed a series of enormous and embarrassing security failures, including self-replicating worms like Code Red and Nimda. The failures affected many of Microsoft’s huge numbers of government and private sector customers, endangering its core business. Not until 2002, when Bill Gates sent out his famous memo urging an emphasis on “trustworthy computing,” did Redmond finally begin to grapple with the importance of cybersecurity.


This is when Lambert became fascinated with the offensive side of cyber.


“There’s a perfection required in the bounds of attack and defense,” Lambert told me. “To defend well, you have to be able to attack. You have to have the offensive mind-set too; you can’t just think about defense if you don’t know how to be creative about offense.”

Read the Full Article »

About the Author:

Patrick Howell O’Neill is the cybersecurity senior editor for MIT Technology Review. He covers national security, election security and integrity, geopolitics, and personal security: How is cyber changing the world? Before joining the publication, he worked at the Aspen Institute and CyberScoop covering cybersecurity from Silicon Valley and Washington DC.