How the Wild Neutron APT Breached Microsoft’s Vulnerability Database in 2013

Background

In 2013 Microsoft’s internal vulnerability reporting database was accessed without authorization. The breach was not disclosed publicly at the time.

Microsoft’s response

Microsoft spent more than a month patching every vulnerability listed in the compromised database. A third‑party security firm was engaged to search for any exploitation of the leaked data; no attacks linked to the disclosed flaws were found. Microsoft concluded that the risk to Windows users was limited because the vulnerabilities had been remediated before public disclosure.

Threat actor – Wild Neutron (also known as Morpho, Jripbot, Butterfly, ZeroWing, Sphinx Moth)

Wild Neutron is an economically motivated APT that targets large technology firms. In early 2013 the group compromised Microsoft, Twitter, Facebook and Apple.

Attack vector against Twitter and Facebook

The group leveraged the Java zero‑day vulnerability CVE‑2013‑0422. Attackers used social‑engineering to lure employees to a compromised forum (iphonedevsdk.com) that hosted an automated exploit tool. When a victim visited the site with a vulnerable Java runtime, the exploit executed remote code, giving the attackers foothold in the corporate network.

Post‑2013 activity

After a period of inactivity, Wild Neutron resurfaced in 2014‑2015 employing new large‑scale techniques, but details of those campaigns are outside the scope of this summary.

Victim distribution

The following chart shows the range of organizations targeted by Wild Neutron:

Comparison with similar incidents

Mozilla experienced a comparable breach of its vulnerability database in 2015 and publicly disclosed the incident, sharing details with stakeholders. Other notable breaches include Kaspersky Lab’s 2015 compromise by the Duqu 2.0 group (an APT linked to Israeli intelligence) and Bitdefender’s 2015 data leak, which was driven by a simple extortion attempt.