U.S. corporations and government agencies using a Microsoft email service have been compromised in an aggressive hacking campaign likely sponsored by the Chinese government, Microsoft said.
The number of victims is estimated at tens of thousands and, according to some security experts, could rise if the investigation into the breach continues. The hackers reportedly secretly attacked several targets in January Volexity, the cybersecurity firm that discovered the hack but escalated its efforts in recent weeks as Microsoft fixed the vulnerabilities exploited in the attack.
The US government’s cybersecurity agency has one Emergency warning on Wednesday, concerned that the hacking campaign had hit a large number of targets. The warning prompted federal agencies to patch their systems immediately. On Friday, cybersecurity reporter Brian Krebs reported that the attack had at least hit 30,000 Microsoft customers.
“We are concerned that there are large numbers of victims,” said White House press secretary Jen Psaki during a press conference on Friday. The attack “could have far-reaching effects,” she added.
The attack is already believed to be bigger than a December intrusion by Russian hackers SolarWindsthat affected at least 250 federal agencies and businesses. Last month, Congress members asked industry leaders why the Russian attack went undetected.
The latest attack exploited vulnerabilities in Exchange, a Microsoft-made email and calendar server that is used by a wide variety of customers, from small businesses to federal agencies. The hackers were able to steal emails and install malware to continue monitoring their targets. Microsoft said in a blog post.
The campaign was spotted in January, said Steven Adair, founder of Volexity. The hackers quietly stole emails from multiple destinations, exploiting a flaw that allowed them to access email servers without a password.
“This is what we consider to be really secret,” Adair said, adding that the discovery sparked a frantic investigation. “It made us tear everything apart.” Volexity reported its findings to Microsoft and the US government, he added.
The attack escalated at the end of February. The hackers began weaving multiple vulnerabilities together and targeting a wider group of victims. “We knew that what we had reported and seen as very secret was now being combined and chained to another exploit,” said Adair. “It just got worse and worse.”
According to a cybersecurity researcher who investigated the U.S. investigation into the hacks and who has no authority to speak publicly about the matter, the hackers attacked as many victims as possible online, hitting small businesses, local governments and large credit unions. The errors used by the hackers, known as zero-days, were previously unknown to Microsoft.
“We are closely following Microsoft’s emergency patch for previously unknown vulnerabilities in Exchange Server software and reporting on possible compromises between US think tanks and base companies in the defense industry,” he said Jake Sullivan, the National Security Advisor to the White House.
“That’s the real deal” tweeted Christopher Krebs, the former director of the US agency for cybersecurity and infrastructure. (Mr. Krebs is not related to the cybersecurity reporter who posted the number of victims.)
Mr Krebs added that companies and organizations using Microsoft’s Exchange program should assume they were hacked sometime between February 26th and March 3rd and should work on it quickly that past week Install patches published by Microsoft.
Microsoft said a Chinese hacking group called Hafnium, “a government sponsored group that operates out of China,” was behind the hack.
Since the company announced the attack, other non-hafnium hackers have started exploiting the vulnerabilities for target organizations that haven’t patched their systems, Microsoft said. “Microsoft continues to see increased use of these vulnerabilities when multiple unpatched systems are attacked by multiple malicious actors,” the company said.
Patching these systems is not an easy task. Email servers are difficult to maintain, even for security professionals, and many companies lack the expertise to securely host their own servers. For years, Microsoft has been pushing these customers to move to the cloud, where Microsoft can manage security for them. Industry experts said the security incidents could encourage customers to move to the cloud and be a financial boon to Microsoft.
Because of the scale of the attack, many Exchange users are likely to be at risk, Adair said. “Even people who fixed this asap, there is an extremely high chance that they have already been compromised.”
Nicole Perlroth Contribution to reporting.