Skip to main content

Microsoft says it caught an Austrian spyware group using previously unknown Windows exploits

Microsoft says it caught an Austrian spyware group using previously unknown Windows exploits


The details accompanied testimony given to a House Intelligence Committee on commercial spyware

Share this story

The image shows a hand operating a computer mouse behind an illustrated pattern of eyes.
Photo by Amelia Holowaty Krales / The Verge

Microsoft’s security and threat intelligence teams have reportedly caught an Austrian company selling spyware based on previously unknown Windows exploits.

The new details were released on Wednesday in a technical blog post from Microsoft’s Threat Intelligence Center (MSTIC), published to coincide with written testimony given by the software company to a House Intelligence Committee hearing on commercial spyware and cyber surveillance.

The spyware developer — officially named DSIRF but which Microsoft tracks under the codename KNOTWEED — made spyware known as Subzero that was used to target law firms, banks, and consultancy firms in the UK, Austria, and Panama, Microsoft said. Analysis from MSTIC found that exploits used by DSIRF to compromise systems included a zero-day privilege escalation exploit for Windows and an Adobe Reader remote code execution attack. Microsoft says that the exploit being used by DSIRF has now been patched in a security update.

DSIRF claims to help multinational corporations perform risk analysis and collect business intelligence, but Microsoft (and other local news reporting) have linked the company to the sale of spyware used for unauthorized surveillance. Per Microsoft’s blog post:

MSTIC has found multiple links between DSIRF and the exploits and malware used in these attacks. These include command-and-control infrastructure used by the malware directly linking to DSIRF, a DSIRF-associated GitHub account being used in one attack, a code signing certificate issued to DSIRF being used to sign an exploit, and other open-source news reports attributing Subzero to DSIRF.

The new information about Microsoft’s tracking and mitigation of DSIRF / KNOTWEED’s exploits was published at the same time as a written testimony document submitted to the hearing on “Combatting the Threats to U.S. National Security from the Proliferation of Foreign Commercial Spyware,” held July 27th.

Microsoft’s written testimony described a largely unregulated commercial spyware industry where private actors were free to contract with repressive regimes around the world.

“Over a decade ago, we started to see companies in the private sector move into this sophisticated surveillance space as autocratic nations and smaller governments sought the capabilities of their larger and better resourced counterparts,” the testimony reads.

“In some cases, companies were building capabilities for governments to use consistent with the rule of law and democratic values. But in other cases, companies began building and selling surveillance as a service ... to authoritarian governments or governments acting inconsistently with the rule of law and human rights norms.”

“Companies began building and selling surveillance as a service to ... governments acting inconsistently with the rule of law and human rights norms”

To combat the threat to free expression and human rights, Microsoft is advocating that the United States help advance the debate around spyware as a “cyberweapon,” which could then be subject to global norms and regulations in the way that other classes of weaponry are.

In the same hearing, the Intelligence Committee also received testimony from Carine Kanimba, daughter of imprisoned Rwandan activist Paul Rusesabagina, who was credited with saving as many as 1,200 Rwandans in the 1994 genocide. While advocating for her father’s release, Kanimba’s phone was believed by researchers to have been infected with NSO Group’s Pegasus spyware.

“Unless there are consequences for countries and their enablers which abuse this technology, none of us are safe,” Kanimba said.

NSO Group was also referenced by Citizen Lab senior researcher John Scott-Railton, another expert witness giving testimony to the committee. Scott-Railton described a shifting global landscape in which access to the most sophisticated and intrusive digital surveillance techniques — once only available to a handful of nation states — was becoming much more widespread due to the involvement of “mercenary spyware companies.”

The greater ability of these tools means that even US officials were more likely to be targeted, as reportedly happened to nine State Department employees working in Uganda whose iPhones were hacked with NSO’s Pegasus.

“It is clear that the United States government is not immune from the mercenary spyware threat,” Scott-Railton said.