The mass cyber-attacks on Microsoft Corp.’s widely used business email software, Exchange, has done more than make the headlines – it has evolved into a threat so large that it is now being certified by cybersecurity companies as an actual global cybersecurity crisis. A new sophisticated nation-state cyber-attack called Hafnium, which has its origin in China, has been primarily targeting on-premises ‘Exchange Server,’ attacking infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs in the US for the purpose of exfiltrating information.
The attack on Exchange has meant a race for hackers to infect as many victims as possible before companies can secure their computer systems. To date, it has claimed at least 60,000 known victims globally, according to a former senior U.S. official with knowledge of the investigation, with many of them being small or medium-sized businesses. It has reached such an extent that the Biden administration has launched an emergency task force to address the issue. The attack allowed hackers to access the email accounts of at least 30,000 organizations in the US.
The first breach of the Microsoft Exchange server was observed by Volexity, a cyber-security platform, in January. By the end of the month, Volexity observed a breach allowing attackers to spy on two of their customers and alerted Microsoft to the vulnerability. After Microsoft was alerted of the breach, Volexity noted the hackers became less stealthy and bolder in anticipation of a patch.
Once Microsoft issued the patch, hackers would race to find the underlying weaknesses the patch addressed, and then try to hack companies that are slow to update their equipment. Hackers are constantly on the prowl for zero-days (critical flaws in the software) because they are the key to stealing user data. The more widely used the software, the more valuable knowledge of a flaw. Although many governments and large companies had already migrated to more modern systems, Microsoft Exchange is still in use by many customers worldwide. Researchers have identified four vulnerabilities and classified them as critical, meaning hackers can use them unseen to steal user data.
The possibility of a leak from one of the company’s security or government partners, or from one of the company’s security or government partners, or from independent researchers is being investigated, it was revealed, although a Microsoft spokesperson declined to comment. It was the timing of the attacks, exploiting vulnerabilities in Microsoft Exchange right before Microsoft could push patches out, that gives credibility to the possibility of a leak.
At least 10 cyber-espionage gangs have attacked Exchange servers, cyber-security firm ESET revealed, and the number of attackers is likely higher now that the vulnerability has been distributed widely among criminal hacking circles.
“The president has been briefed and is tracking the issue closely,” a spokesperson for the U.S. National Security Council said Wednesday in an email. “The White House is working around the clock with our public and private partners, keeping Congress updated, assessing the impact, and defining the next steps we need to take.”
In response to Microsoft’s allegation that China was behind the attacks, Beijing slammed the tech giant, calling it a “groundless accusation” and asking for evidence to support its claim.
From February 28, five new cyber-espionage groups – “Tick,” “Lucky Mouse,” “Calypso,” “Websiic” and “Winnti” – entered the arena. Various security researchers have published reports suggesting that the five additional groups also have connections to China — for example, assessing that the hackers in the groups speak Chinese languages or operate from IP addresses based in China.
Lucky Mouse breached a government organization in the Middle East, Calypso broke into government targets in the Middle East and South America, and Websiic targeted a government organization in Eastern Europe and private companies in Asia. Tick and Winnti did not fall behind, compromising the server of an IT company in East Asia and hacking an oil-and-gas company and a construction equipment company in East Asia respectively.