A hack of Microsoft (MS) Exchange email servers, used by government and business customers worldwide, is considered to still be an ongoing threat despite already affecting 250,000 organizations worldwide, including 30,000 in the U.S. alone.
Microsoft Threat Intelligence Center believes that Hafnium, a hacking group based out of China and purportedly sponsored by the Chinese government, is responsible for the attacks. In response to allegations of its involvement with the group, a spokesperson for the Chinese foreign ministry said that the country “firmly opposes and combats cyber attacks and cyber theft in all forms” and warned that attributing the attacks on another government was a “highly sensitive political issue.”
The hacking has affected hundreds of thousands of users across a variety of small- and medium-sized enterprises, including local government units, police, medical institutions, transportation systems, prisons, electricity providers, banks, senior citizen homes, and even an ice cream parlor. According to cyber security group Volexity, which helped Microsoft identify its vulnerabilities on the hacking issue, the attack started as early as January 6, 2021. Volexity’s head, Steven Adair, described the attack as initially targeting high value intelligence followed by indiscriminate attacks all over the world without regard to an organization’s size, industry, or purpose.
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation released a joint advisory stating that the hacking continues to pose a “serious risk” that could undermine Federal Civilian Executive Branch agencies as well as the business operations of private companies, particularly if confidential business information, technology, or research data are illegally obtained.
Haifan has been observed to operate from leased virtual private servers in the United States. Vulnerabilities in MS Exchange on-premises products have since been exploited by at least ten other hacking groups, some with ties to other nation-state actors. The hackers are believed to have accessed non-Cloud-based Exchange Servers often through compromised passwords. They would then install a remotely accessible and web-based backdoor called a web shell. This enabled them to remotely enter administrative commands through a web browser, allowing them to steal data from the computer network of the target organization.
Microsoft released emergency patches for affected Exchange Servers, but various cybersecurity researchers believe that organizations should actively remove the malicious web shells from infected servers, such as by completely rebuilding them. Microsoft has also released other regular updates on the issue, including mitigation guidance and indicators of a potential compromise.
Although unrelated, the MS Exchange hack follows closely on the heels of another recent mass cyberattack: the compromise of the SolarWinds Orion platform, which affected about 100 U.S. companies and nine federal agencies. That attack has been attributed to Russian hackers, and the Biden Administration is said to be considering sanctions against the Russian government in response to the attack and other developments. In response to the SolarWinds hack, the US government formed a Cyber Unified Coordination Group composed of the FBI, CISA, the Office of the Director of National Intelligence, and the National Security Agency to coordinate and investigate cyber attacks and determine appropriate responses.
As of March 5, the White House considers the MS Exchange threat to be “ongoing” and has urged network operators to take it seriously CISA and other related government agencies are continuing their evaluation of the scope of the attack, outstanding vulnerabilities, and potential next steps.