Microsoft has built malicious software found on the computer systems of some of its customers in at least three countries, an Austrian firm said, saying its spying tool “SubZero” was only for official use in EU states.
on Wednesday, Microsoft Said the firm, DSIRF, had deployed espionage software, or spyware, capable of accessing confidential information such as passwords or login credentials to an unspecified number of unnamed banks, law firms and strategic advisors.
DSIRF said in an emailed statement, “Subzero is a software from the Austrian DSIRF GesmbH, developed exclusively for official use in the EU states. It is neither offered, sold, nor Nor is it made available for commercial use.”
“In view of the facts described by Microsoft, DSIRF completely rejects the notion that it has misused SubZero Software.”
It was not clear which EU member state governments, if any, were using the tool. DSIRF did not respond to requests for further comment.
Austria’s Interior Ministry told local news agency APA on Friday that it was investigating Microsoft’s claims. The ministry did not respond to Reuters requests for comment.
Spyware tools have come to greater attention in Europe and the United States when Pegasus, spyware developed by Israel’s NSO, was used by governments to spy on journalists and dissidents.
The DSIRF said they had appointed an independent expert to investigate the issues raised by Microsoft, and had reached out to the US tech giant for “cooperation on this issue”.
Microsoft declined to provide further comment.
In its Thursday blog post, the company said that DSIRF has developed four so-called “zero-day exploits,” software flaws very important to both hackers and spies because they work even when the software is up to date.
The DSIRF listed some older, commercial, customers as references in an internal presentation promoting Subzero published by the German news website Netzpolitik last year.
The two companies named in that presentation, Cigna Retail and Denton, told Reuters that they did not use spyware and did not consent to the company’s references.
DSIRF did not respond to a request for comment on the matter.
© Thomson Reuters 2022