REDMOND, Wash.–“Large credit unions” have been identified as among the businesses and government agencies that use a Microsoft email service compromised in an aggressive hacking campaign that was probably sponsored by the Chinese government, according to Microsoft.
The credit unions allegedly targeted and potentially breached have not been identified.
The hackers are exploiting four newly-discovered flaws in Microsoft Exchange Server email software, and “has seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total, remote control over affected systems,” according to analysts.
The investigation, which is continuing, has stealthily attacked several targets in January, according to Volexity, the cybersecurity firm that discovered the hack, but escalated their efforts in recent weeks as Microsoft moved to repair the vulnerabilities exploited in the attack, the New York Times reported.
The U.S. government’s cybersecurity agency issued an emergency warning on Wednesday, amid concerns that the hacking campaign had affected a large number of targets, the Times reported, with the warning urging federal agencies to immediately patch their systems.
Cybersecurity expert Brian Krebs reported that the attack had hit at least 30,000 Microsoft customers.
“We’re concerned that there are a large number of victims,” said White House press secretary, Jen Psaki. The attack “could have far-reaching impacts,” she added.
Estimates of 30,000 Or More
In the hack that Microsoft has attributed to the Chinese, there are estimates that 30,000 or so customers were affected when the hackers exploited holes in Exchange, a mail and calendar server created by Microsoft, the Times reported.
The hackers were able to steal emails and install malware to continue surveillance of their targets, Microsoft said in a blog post, but Microsoft said it had no sense of how extensive the theft was, the Times added.
The campaign was detected in January, said Steven Adair, the founder of Volexity. The hackers quietly stole emails from several targets, exploiting a bug that allowed them to access email servers without a password, the report stated.
“This is what we consider really stealth,” Adair said, adding that the discovery set off a frantic investigation. “It caused us to start ripping everything apart.”
Volexity reported its findings to Microsoft and the U.S. government, he added.
According to the Times, in late February, the attack escalated. The hackers began weaving multiple vulnerabilities together and attacking a broader group of victims. “We knew that what we had reported and seen used very stealthily was now being combined and chained with another exploit,” Adair was quoted as saying. “It just kept getting worse and worse.”
“The hackers targeted as many victims as they could find across the internet, hitting small businesses, local governments and large credit unions, according to one cybersecurity researcher who has studied the U.S. investigation into the hacks who is not authorized to speak publicly about the matter,” the Times reported. “The flaws used by the hackers, known as zero-days, were previously unknown to Microsoft.”
“This is the real deal,” tweeted Christopher Krebs, the former director of the U.S. Cybersecurity and Infrastructure Agency. Christopher Krebs is not related to Brian Krebs.
When Hack Took Place
Christopher Krebs added that companies and organizations that use Microsoft’s Exchange program should assume that they had been hacked sometime between Feb. 26 and March 3, and should work quickly to install the patches released this past week by Microsoft, according to the Times.
In a statement, Jeff Jones, a senior director at Microsoft, said, “We are working closely with the C.I.S.A., other government agencies and security companies to ensure we are providing the best possible guidance and mitigation for our customers.”
Microsoft further stated a Chinese hacking group known as Hafnium, “a group assessed to be state-sponsored and operating out of China,” was behind the hack.
Since the company disclosed the attack, other hackers not affiliated with Hafnium began to exploit the vulnerabilities to target organizations that had not patched their systems, according to Microsoft.
The Times reported that patching these systems is not a straightforward task.
“Email servers are difficult to maintain, even for security professionals, and many organizations lack the expertise to host their own servers safely," the report stated. “For years, Microsoft been pushing these customers to move to the cloud, where Microsoft can manage security for them. Industry experts said the security incidents could encourage customers to shift to the cloud and be a financial boon for Microsoft.”