U.S. corporations and government agencies using a Microsoft email service have been compromised in an aggressive hacking campaign likely sponsored by the Chinese government, Microsoft said.
The number of victims is estimated at tens of thousands and, according to some security experts, could rise if the investigation into the breach continues. According to Volexity, the cybersecurity firm that discovered the hack, the hackers secretly attacked multiple targets in January, but their efforts escalated in recent weeks as Microsoft fixed the vulnerabilities exploited in the attack.
The US government’s cybersecurity agency issued an emergency warning on Wednesday fearing that the hacking campaign had hit a large number of targets. The warning prompted federal agencies to patch their systems immediately. On Friday, cybersecurity reporter Brian Krebs reported that the attack hit at least 30,000 Microsoft customers.
“We are concerned that there are large numbers of victims,” said White House press secretary Jen Psaki during a press conference on Friday. The attack “could have far-reaching effects,” she added.
Federal officials struggled to understand how the most recent hack compares to last year’s penetration by Russian hackers into a variety of federal agencies and corporate systems in what is known as the SolarWinds attack. In this case, the Russian hackers put code in an update to the SolarWinds network management software. While around 18,000 customers of the company have downloaded the code, so far there is only evidence that the Russian hackers have stolen material from nine government agencies and around 100 companies.
In the hack Microsoft attributed to the Chinese, it is estimated that around 30,000 customers were affected when the hackers exploited vulnerabilities in Exchange, an email and calendar server created by Microsoft. These systems are used by a wide range of customers, from small businesses to local and state agencies to some military contractors. The hackers were able to steal email and install malware to continue monitoring their targets, Microsoft said in a blog post, but Microsoft said it had no idea how extensive the theft was.
The campaign was spotted in January, said Steven Adair, founder of Volexity. The hackers quietly stole emails from multiple destinations, exploiting a flaw that allowed them to access email servers without a password.
“This is what we consider to be really secret,” Adair said, adding that the discovery sparked a frantic investigation. “It made us tear everything apart.” Volexity reported its findings to Microsoft and the US government, he added.
The attack escalated at the end of February. The hackers began weaving multiple vulnerabilities together and targeting a wider group of victims. “We knew that what we had reported and seen as very secret was now being combined and chained to another exploit,” said Adair. “It just got worse and worse.”
According to a cybersecurity researcher who investigated the U.S. investigation into the hacks and who has no authority to speak publicly about the matter, the hackers attacked as many victims as possible online, hitting small businesses, local governments and large credit unions. The errors used by the hackers, known as zero-days, were previously unknown to Microsoft.
“We are closely following Microsoft’s emergency patch for previously unknown vulnerabilities in Exchange Server software and reporting possible compromises between US think tanks and defense companies,” said Jake Sullivan, National Security Advisor to the White House.
“This is the real deal,” tweeted Christopher Krebs, former director of the US agency for cybersecurity and infrastructure. (Mr. Krebs is not related to the cybersecurity reporter who posted the number of victims.)
Mr Krebs added that companies and organizations using Microsoft’s Exchange program should assume they were hacked sometime between February 26th and March 3rd and should work on it quickly that past week Install patches published by Microsoft.
In a statement, Jeff Jones, Microsoft Senior Director, said, “We are working closely with CISA, other government agencies and security companies to ensure we are providing the best guidance and mitigation to our customers.”
Microsoft said a Chinese hacking group called Hafnium, “a government sponsored group that operates out of China,” was behind the hack.
Since the company announced the attack, other non-hafnium hackers have started exploiting the vulnerabilities for target organizations that haven’t patched their systems, Microsoft said. “Microsoft continues to see increased use of these vulnerabilities when multiple unpatched systems are attacked by multiple malicious actors,” the company said.
Patching these systems is not an easy task. Email servers are difficult to maintain, even for security professionals, and many companies lack the expertise to securely host their own servers. For years, Microsoft has been pushing these customers to move to the cloud, where Microsoft can manage security for them. Industry experts said the security incidents could encourage customers to move to the cloud and be a financial boon to Microsoft.
Because of the scale of the attack, many Exchange users are likely to be at risk, Adair said. “Even people who fixed this asap, there is an extremely high chance that they have already been compromised.”
Nicole Perlroth contributed to the reporting.