Written by Kate Conger and Sheera Frenkel
US companies and government agencies that use a Microsoft email service have been engaged in an aggressive hacking campaign that was likely sponsored by the Chinese government, Microsoft said.
The death toll is estimated to be in the tens of thousands and could rise, some security experts believe, as the investigation into the breach continues. Hackers had sneakily attacked multiple targets in January, according to Volexity, the cybersecurity company that discovered the attack, but stepped up its efforts in recent weeks when Microsoft moved to repair vulnerabilities exploited in the attack.
The US government’s cybersecurity agency issued an emergency warning on Wednesday, amid concerns that the hacking campaign had hit a host of targets. The warning urged federal agencies to patch their systems immediately. On Friday, cybersecurity reporter Brian Krebs reported that the attack had affected at least 30,000 Microsoft customers.
“We are concerned that there are a large number of victims,” White House press secretary Jen Psaki said during a news conference on Friday. The attack “could have far-reaching impacts,” he added.
Federal officials were struggling to understand how the latest attack compared to last year’s intrusion into a variety of federal agencies and corporate systems by Russian hackers in what is known as the SolarWinds attack. In that incident, Russian hackers placed code in an update to the SolarWinds network management software. While some 18,000 company customers downloaded the code, there is only evidence so far that Russian hackers stole material from nine government agencies and roughly 100 companies.
In the hack that Microsoft has attributed to the Chinese, an estimated 30,000 customers were affected when hackers exploited holes in Exchange, a mail and calendar server created by Microsoft. Those systems are used by a wide range of customers, from small businesses to state and local governments and some military contractors. Hackers were able to steal emails and install malware to continue surveillance of their targets, Microsoft said in a blog post, but Microsoft said it had no idea how extensive the theft was.
The Chinese embassy in Washington did not immediately respond to a request for comment.
The campaign was spotted in January, said Steven Adair, founder of Volexity. Hackers silently stole emails from various targets, taking advantage of a bug that allowed them to access email servers without a password.
“This is what we really consider stealth,” Adair said, adding that the discovery triggered a frenzied investigation. “It made us start destroying everything.” Volexity reported its findings to Microsoft and the US government, it added.
But in late February, the attack escalated. The hackers began to weave multiple vulnerabilities and attack a broader group of victims. “We knew that what we had reported and seen used very stealthily was now being combined and chained with another exploit,” said Adair. “It just kept getting worse and worse.”
The hackers targeted as many victims as they could find on the Internet, hitting small businesses, local governments and large credit unions, according to a cybersecurity researcher who has studied US research on hackers who is not authorized to speak publicly about the hackers. affair. The flaws used by hackers, known as zero days, were previously unknown to Microsoft.
“We are closely monitoring Microsoft’s emergency patch for previously unknown vulnerabilities in Exchange Server software and reports of potential compromises from US think tanks and defense industry-based entities,” said Jake Sullivan, Advisor. White House National Security Officer.
“This is the real deal,” tweeted Christopher Krebs, former director of the US Cybersecurity and Infrastructure Agency (The cancer is not related to the cybersecurity reporter who revealed the number of victims).
Krebs added that companies and organizations using Microsoft’s Exchange program should assume they were hacked sometime between February 26 and March 3, and work quickly to install the patches released last week by Microsoft.
In a statement, Jeff Jones, Microsoft’s senior director, said: “We are working closely with CISA, other government agencies and security companies to ensure that we provide the best possible guidance and mitigation for our customers.”
Microsoft said a Chinese hackers group known as Hafnium, “a group that considers itself state-sponsored and operates outside of China,” was behind the attack.
Since the company disclosed the attack, other hackers unaffiliated with Hafnium began exploiting the vulnerabilities to attack organizations that had not patched their systems, Microsoft said. “Microsoft continues to see increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors,” the company said.
Patching these systems is not an easy task. Email servers are difficult to maintain, even for security professionals, and many organizations lack the expertise to safely host their own servers. For years, Microsoft has been pushing these customers to move to the cloud, where Microsoft can manage security for them. Industry experts said the security incidents could encourage customers to switch to the cloud and be a financial boon for Microsoft.
Due to the wide scope of the attack, many Exchange users are likely compromised, Adair said. “Even for the people who corrected this as quickly as humanly possible, there is an extremely high probability that they have already been compromised.”