What began as a clandestine Chinese espionage campaign targeting “specific individuals” via flaws in Microsoft email software has escalated into a devastating global hacking free-for-all that is claiming tens of thousands of business and public-sector victims.
The US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert on Twitter late on Monday urging “ALL organizations across ALL sectors to follow guidance to address the widespread domestic and international exploitation” of four vulnerabilities in Microsoft’s Exchange email application, which the tech company disclosed a week ago.
Microsoft’s announcement last Tuesday blamed a Chinese state-backed hacking group known as Hafnium for conducting the stealthy attacks, which began penetrating the email servers of choice targets at the beginning of the year. It has issued fixes for the bugs.
But experts said that since attention was drawn to the flaws, there has been a flood of attacks by multiple hacking outfits — including criminal groups — rushing to compromise victims before they secure their systems.
The European Banking Authority this week became the first notable body to publicly say it had been compromised. It is unlikely to be the last.
“Every possible victim that hadn’t patched by mid-to-end of last week has already been hit by at least one or several actors,” said Dmitri Alperovitch, co-founder of security group CrowdStrike, who now runs the Silverado Policy Accelerator think-tank.
“As these exploits propagate to the criminal element, this issue will become a crisis for organisations with the least resources,” John Hultquist, vice-president of FireEye’s Mandiant Threat Intelligence warned on Twitter.
The concern comes as companies and government agencies have already come under threat from a Russian espionage campaign, in which the perpetrators hijacked a ubiquitous IT software product to gain access to thousands of victims’ systems.
In the sprawling SolarWinds hack, which affected organisations including the US commerce and Treasury departments, hackers lurked deep within some systems for more than a year in what some experts have cast as typical intelligence-gathering activity.
At first, the Microsoft hack appeared to have been equally stealthy. Sean Koessel, vice-president of professional services at Volexity, a cyber security group that helped identify the Microsoft vulnerabilities, said that in early January it had uncovered hackers targeting “very specific individuals” from NGOs and think-tanks.
“They were able to come in at will and very selectively steal emails . . . It wasn’t like a smash-and-grab,” he said.
But during the last weekend of February, either Hafnium or another group rapidly escalated their attacks. After Microsoft made the vulnerabilities public, a third, even bigger wave of attacks arrived as other criminal groups jumped to exploit the flaws. “Everything broke loose,” said Koessel.
For the second time in less than four months, the world’s public and private sectors have been left scrambling to ascertain if they have been hit — and if so, what damage has been done. Where hackers have established toeholds in systems, they will need to be carefully ejected, experts said.
“Incident response teams are BURNED OUT [and] this is at a really bad time,” Chris Krebs, the former CISA chief during the Trump administration, wrote on Twitter, describing the attacks as “the real deal”.
In the meantime, estimates of the number of victims continue to vary. Seasoned cyber security researcher Brian Krebs has claimed that at least 30,000 US organisations “including a significant number of small businesses, towns, cities and local governments” were hacked in the days following Microsoft’s disclosure, citing multiple sources briefed on the matter. Other estimates have run as high as 250,000 victims.
Huntress, a cyber security group focused on small businesses, said it had uncovered more than 350 breached victims from among its clientele including “small hotels, an ice cream company, a kitchen appliance manufacture, multiple senior citizen communities and other ‘less than sexy’ mid-market businesses”.
Roni Suchowski, a UK-based independent security researcher, tested almost 12,000 Exchange servers that are accessible to the internet and found that about 4,500 were vulnerable, more than a third of the sample. The UK-based organisations affected included government and NHS sites, academic institutions, law firms and private companies, Suchowski said, including one FTSE 250 property group that patched its server after being contacted about the flaw. It is unclear how many may have been attacked.
An increasingly frantic series of announcements from US officials over the past week encouraged immediate action from organisations. On Friday, CISA held a call, first reported by the Wall Street Journal, with more than 4,000 critical infrastructure groups in both the private sector and the government urging them to patch their systems.
Jen Psaki, White House press secretary, said on Friday that there was a “large number of victims” in this “active hack”.
‘Microsoft has the resources of a nation state’
China has long been one of the most active nations in conducting cyber warfare against the US. For example, it successfully obtained sensitive data on several million government employees in a hack of the Office of Personnel Management, which was uncovered in 2015.
Theresa Payton, former White House chief information officer and chief executive of cyber security consultancy Fortalice Solutions, said that the first wave of targeted attacks was likely to have been a classic Chinese “industrial espionage” campaign.
Hackers might have been hunting for research and development information on coronavirus vaccines, intellectual property relating to Big Tech or indicators of US trade policies regarding China, she said. Beijing has denied responsibility.
She and other experts have suggested that China could also be responsible for some of the less discriminate rash of attacks, even if it was a separate group of hackers to the more careful Hafnium.
“There are still [Chinese state-backed hacking] units that . . . are like a Hoover vacuuming up all the grains of sand on the beach to take into their back office and then sift [them] looking for the gems,” she said.
Experts warned that the onslaught by criminal hacking groups could mean victims would shortly find themselves hit by ransomware attacks — whereby attackers seize victims’ data and will only release it if they receive payment.
The attacks have prompted some to urge President Joe Biden to take a more aggressive stance towards China at a time when his government is already exploring penalties including sanctions against Russia for the SolarWinds hack.
“This in my view deserves a significant response by the Biden administration,” said Alperovitch.
The hacks also marked a second embarrassment for Microsoft, after it emerged that weaknesses in its systems had played a role in facilitating some of the SolarWinds breaches.
“Microsoft has the resources of a nation state,” said Ron Gula, co-founder of Tenable and a former NSA staffer who invests in cyber security groups. “On the other hand, they’re so big. There’s a lot of complexity in what they are doing.”
Koessel said: “It’s the nature of software, things are going to get missed.”