Data raids against on-premises Microsoft Exchange Server setups by the Chinese state-linked group Hafnium have been much more extensive than initially believed, with tens of thousands of companies potentially affected.
Last week Microsoft warned that four zero-day exploits affecting its mail server tech were being actively exploited by Hafnium, a previously identified “nation state” level threat group believed to have links to the People’s Republic of China. Microsoft’s initial assessment suggested that raids so far had affected a “limited” number of companies using its Exchange Server products.
However reports over the weekend suggest that this was a very optimistic view. Sources told independent security expert Brian Krebs that “at least 30,000 organisations” across the US have been successfully hacked.
Separately, Reuters reports that more than 20,000 US organisations have been compromised via the Exchange Server zero-days. Worldwide the number is likely to be much higher, with Krebs suggesting that the global total is likely to top 100,000.
The White House press office joined the chorus of warnings, stating that the Microsoft Exchange hack is “an active threat” and urging government departments, the private sector and academia to patch their on-premises exchange servers. Exchange Online is not believed to be affected.
The US National Security Council (NSC) warned that CIOs and CISOs should not just patch and relax, tweeting:
“Patching and mitigation is not remediation if the servers have already been compromised. It is essential that any organization with a vulnerable server take immediate measures to determine if they were already targeted.”
If the new estimates are correct, the scale of the attack has already exceeded that of the recent SolarWinds hack, in which a tainted software update gave suspected Russian nation-state hackers remote access to large numbers of targeted networks. Microsoft says that the two attacks are not connected.
Andy Miles, chief information security officer at risk management business Quantum Resilience, told Verdict that “on the balance of probabilities” UK organisations must also have been compromised.
Telemetry data from cybersecurity firm ESET indicates the majority of attacks are against US organisations, with 267 observed attacks. Germany was a distant second with 25. “Several” cyber-espionage groups have been exploiting the Exchange vulnerabilities, ESET added.
While Microsoft has rolled out patches for the four Exchange critical vulnerabilities, as the NSC points out, installing the security updates does not remove threat actors that have already compromised the network – or undo any damage that might have already been done.
Once Hafnium compromises its victims’ servers it deploys a web shell, a malicious interface that gives hackers the ability to steal data or install malicious software. This software could give Hafnium complete remote control over affected systems. The Hafnium hackers have been observed stealing files and emails from affected companies, as well as installing connections to a remote server.
The NSC says that it is “essential” for organisations to search for indications that Hafnium was inside the network. Microsoft has published a script which can be used to scan for signs of such intrusions.
Chris Krebs, former head of the US Cybersecurity and Infrastructure and Security Agency, said via Twitter that the Exchange Server hack is “the real deal”.
He added: “If your organisation runs an [Outlook Web Access] server exposed to the internet, assume compromise” between 26 February and 3 March.
The Exchange Server attacks started as early as 6 January 2021 but the Chinese espionage group appears to have stepped up its efforts in the last few days.
News of the Exchange Server hack came in the same week that Microsoft announced it is opening a new Azure cloud region in China. Under China’s National Intelligence Law, businesses operating in the territory must cooperate with state intelligence services, which means the Chinese state would not need to resort to hacking to gain access to data stored on those servers.