Earlier this month, Microsoft announced that Chinese hackers were trying to exploit vulnerabilities in its Exchange Server, a mail and calendar service used by corporates and organisations. The breach is now being considered one of the biggest cybersecurity stories in recent times, so big that even the United States’ White House has stepped in for damage control.
US President Joe Biden’s administration has said that the breach can have “far-reaching consequences”. Multiple reports have noted the number of affected organisations at over 30,000 in the US alone, with several hundred thousand worldwide.
On March 2, Microsoft issued a statement, informing its users — and the world at large — that the company had identified a state-sponsored threat action that it dubbed as “Hafinium”. The company said there were vulnerabilities in Exchange Server, which Hafinium was exploiting. “Hafnium operates from China, and this is the first time we’re discussing its activity. It is a highly skilled and sophisticated actor.”
Historically, Hafinium primarily targets entities in the US to exfiltrate information from industry sectors such as infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs, the company said in a blog post. “While Hafnium is based in China, it conducts its operations primarily from leased virtual private servers (VPS) in the United States.”
What Microsoft has done so far: Microsoft has released emergency security patches for its 2010, 2013, 2016 and 2019 version of the software. Security researcher Brian Krebs reported, on his blog KrebsonSecurity, that considering the fact that Microsoft released a patch for the 2010 version — which is no longer officially supported by the company — indicated that the vulnerabilities might have been in the Exchange code base for more than ten years.
Vulnerabilities only in on-premises servers: The vulnerabilities only seem to be affecting organisations who use on-premises Microsoft Exchange Servers, instead of the company’s cloud service Exchange Online. “We strongly urge customers to update on-premises systems immediately. Exchange Online is not affected,” the company told users in its March 2 announcement .
Who and how many have been affected so far?
On March 5, security researcher Biran Krebs reported that at least 30,000 organisations across the US have been hacked by the Chinese cyber espionage unit. Krebs reported that in the three days since March 2, the Chinese cyber espionage group had stepped up attacks on vulnerable, unpatched Exchange servers worldwide.
- Hundreds of thousands servers compromised: Two cybersecurity experts who had briefed senior US officials reportedly told Krebs that the Chinese hacking group had seized control over “hundreds of thousands” of Exchange servers. Each of these servers corresponds to one organisation that uses Exchange to process its email, Krebs said.
- Police departments, hospitals, city governments affected: Another source working with federal officials on the matter told Krebs that the organisations affected include police departments, hospitals, city and state governments and credit unions. A report by cybersecurity firm FireEye claimed that victims it had identified included US-based retailers, a university and an engineering firm. Additionally, it indicated that a “Southeast Asian government and a Central Asian telecom” might also be hit by the same set of hackers.
- Low capacity for incident response: Since the number of affected organisations are in the tens of thousands, Kerbs said that a US official told him that there weren’t enough incident response teams to deal with the situation.
The 30,000 number was confirmed by a subsequent report by the Wired. Wherein a security researcher involved with the story said that the hacked Exchange servers in US were more than 30,000, and hundreds of thousands worldwide. A former national security official told the publication that thousands of servers were being compromised per hour globally. However, Chris Krebs (no related to Biran Krebs), a former head of US government’s cybersecurity watchdog Cybersecurity and Infrastructure Security Agency (CISA), has claimed that the actual number of victims of the “crazy huge hack” might be much higher than 30,000.
What data do the hackers get from an attack?
The implications of a server being compromised are grave, since it means the hacker had complete access to the organisation’s communications network. This fear was underlined in a tweet by CISA, which said: “Critical vulnerabilities in Microsoft Exchange on-premise products could enable an attacker to gain control of an entire enterprise network [emphasis added].”
What a personalised attack can look like: A person working at a Washington think tank told CNN earlier this month that her personal and email accounts were compromised in the attack. This person was visited by agents of the Federal Bureau of Investigations (FBI) who told her the attack was indeed an “ongoing, sophisticated hack by a foreign government”, CNN reported. While this is just one persons’ account, it still gives a good picture of what can happen:
- The attackers had gained unauthorised access to the person’s email;
- They use this access to send emails to the person’s contacts “tailing [the messages] in a way that the recipient will not doubt I am the sender”.
- These emails sent in the person’s name include invitations to non-existent conferences. They also referred to an article written in the person’s name, and a book in a colleague’s name, neither of which was written by them.
Why is the US government worried?
The attack, just by the sheer size of it, has gotten the US government quite concerned. Within just two days of Microsoft’s announcement, White House National Security Advisor Jake Sullivan announced that the White House is closely tracking Microsoft’s emergency patch. He encouraged network owners to to patch their systems as soon as possible. The previous day, CISA issued an alert to networks owners on how they can detect if their systems had already been compromised. CISA has since revised this alert multiple times.
White House Press Secretary Jen Psaki had termed the breach a “significant vulnerability that could have far-reaching impacts”. “We are concerned that there are a large number of victims and are working with our partners to understand the scope of this.” she said. Even the country’s defense establishment is worried. Pentagon Press Secretary John Kirby reportedly told reporters that the US Defense department was working to determine if it was affected by the vulnerability, reported CNN.
Earlier this week, it was reported that the Joe Biden administration is expected to put together a task force to deal with the matter, according to a senior US official quoted by CNN and several others. This task force will reportedly consist of officials from the FBI, CISA and other agencies.
“This has the potential to simultaneously affect organizations that are critical to everyday life in the US,” a source reportedly told CNN.
The development also comes at a time of unrest between the US and China, where the hacker group is said to have originated. In the past couple of years, the US has imposed restrictions on major Chinese companies such as Huawei and ZTE, making it impossible for them to access American tech. Huawei, for instance, has been unable to get Google to sell it licensed versions of Android.
Meanwhile, the Chinese foreign ministry has been critical of Microsoft for attributing attack to China. A ministry spokesperson said China “firmly opposes and combats cyber attacks and cyber theft in all forms”, and said that blaming a particular nation was a “highly sensitive political issue”.
- Hackers breach thousands of cameras used by Tesla, schools, jails and prisons: Report
- Russian, North Korean hacker groups targeted COVID-19 research companies in India, elsewhere: Microsoft
- Microsoft’s warning after US federal government breach: more nation-backed attacks are coming