Microsoft says businesses and government agencies in the United States that use Microsoft’s email service have been compromised in an aggressive attack campaign that is presumably funded by the Chinese government.
Some security experts believe the number of victims is estimated to be in the tens of thousands and could increase as the investigation of the breach continues. According to Volexity, the cybersecurity company that discovered this hack, hackers stealthily attacked several targets in January, but their efforts have escalated in recent weeks as Microsoft proceeded to fix it. fixes the vulnerabilities that are exploited in the attack.
The US government’s cybersecurity agency issued an emergency warning on Wednesday, amid fears that the offensive had affected a large number of targets. The warning prompted federal agencies to immediately patch their systems. On Friday, cybersecurity reporter Brian Krebs reported that the attack had hit at least 30,000 Microsoft customers.
White House press secretary Jen Psaki said during Friday’s press conference: “We are concerned that there is a large number of victims. The attack “can have far-reaching effects,” she added.
The attack is believed to be larger than a December intrusion by Russian hacker SolarWinds, which affected at least 250 federal agencies and businesses. Last month, members of Congress questioned industry leaders about why the Russian attack was undetected.
The latest attack exploited vulnerabilities in Exchange, a mail and calendar server created by Microsoft and used by many customers, from small businesses to federal government agencies. Microsoft says hackers can steal emails and install malware to continue monitoring their targets in a blog post.
Steven Adair, founder of Volexity, said the campaign was discovered in January. Hackers have silently stole emails from several targets, exploiting a bug that allowed them to access the email server without a password.
“This is what we consider truly stealthy,” Adair said, adding that this discovery started a frenetic investigation. “It caused us to start ripping things up.” Volexity reported its findings to Microsoft and the US government, he added.
But at the end of February, the attack escalated. Hackers began to stitch multiple vulnerabilities together and attack a broader group of victims. “We know that what we’ve reported and seen stealthily used is now being combined and strung with another exploit,” said Adair. “It just kept getting worse and worse.”
According to a cybersecurity researcher who studied the US investigation into the attacks, the hackers targeted small businesses, local governments, and major credit institutions, people are not allowed to speak publicly about this matter. The vulnerabilities used by hackers, known as zero-days, were previously unknown to Microsoft.
“We are closely monitoring Microsoft’s emergency patch for previously unknown vulnerabilities in Exchange Server software and reports of potential intrusions by consulting organizations and industrial facilities. defense of America, ” Jake Sullivan, White House national security advisor.
“This is the real deal,” Christopher Krebs tweeted, former director of the US Department of Cyber Security and Infrastructure. (Mr. Krebs is not related to the cybersecurity reporter who revealed the number of victims.)
Mr. Krebs added that companies and organizations that use Microsoft’s Exchange program should assume they were hacked between February 26 and March 3 and work quickly to install the a patch released by Microsoft last week.
Microsoft said a Chinese hacking group called Hafnium, “a group that is considered state-sponsored and operating outside of China,” was behind the hack.
Since the company disclosed the attack, other hackers not affiliated with Hafnium began exploiting the vulnerabilities to target organizations that have not yet patched their systems, Microsoft said. “Microsoft continues to see an increasing use of these vulnerabilities in attacks targeting systems that have not been patched by multiple malicious agents,” the company said.
Patching these systems is not a simple task. Email servers are difficult to maintain, even for security professionals and many inexperienced organizations to safely host their own servers. For years, Microsoft has pushed these customers to move to the cloud, where Microsoft can manage security for them. Industry experts say security incidents can encourage customers to switch to the cloud and are a financial boon for Microsoft.
Due to the wide scope of the attack, many Exchange users may have been compromised, Adair said. “Even for those who fix this as quickly as possible, there’s a high chance they’ve been compromised.”
Nicole Perlroth Contribution reports.