Thousands of Microsoft Customers May Have Been Victims of Hack Tied to China
The hackers started their attack in January but escalated their efforts in recent weeks, security experts say. Business and government agencies affected.
Businesses and government agencies in the United States that use a Microsoft email service have been compromised in an aggressive hacking campaign that was probably sponsored by the Chinese government, Microsoft said.
“We’re concerned that there are a large number of victims,” the White House press secretary, Jen Psaki, said during a press briefing on Friday. The attack “could have far-reaching impacts,” she added.
Federal officials were struggling to understand how the latest hack compared with last year’s intrusion into a variety of federal agencies and corporate systems by Russian hackers in what has become known as the SolarWinds attack. In that incident, the Russian hackers planted code in an update of the SolarWinds network management software. While about 18,000 customers of the company downloaded the code, so far there is only evidence that the Russian hackers stole material from nine government agencies and roughly 100 companies.
The campaign was detected in January, said Steven Adair, the founder of Volexity. The hackers quietly stole emails from several targets, exploiting a bug that allowed them to access email servers without a password.
“This is what we consider really stealth,” Mr. Adair said, adding that the discovery set off a frantic investigation. “It caused us to start ripping everything apart.” Volexity reported its findings to Microsoft and the U.S. government, he added.
But in late February, the attack escalated. The hackers began weaving multiple vulnerabilities together and attacking a broader group of victims. “We knew that what we had reported and seen used very stealthily was now being combined and chained with another exploit,” Mr. Adair said. “It just kept getting worse and worse.”
The hackers targeted as many victims as they could find across the internet, hitting small businesses, local governments and large credit unions, according to one cybersecurity researcher who has studied the U.S. investigation into the hacks who is not authorized to speak publicly about the matter. The flaws used by the hackers, known as zero-days, were previously unknown to Microsoft.
Mr. Krebs added that companies and organizations that use Microsoft’s Exchange program should assume that they had been hacked sometime between Feb. 26 and March 3, and work quickly to install the patches released this past week by Microsoft.
In a statement, Jeff Jones, a senior director at Microsoft, said, “We are working closely with the C.I.S.A., other government agencies and security companies to ensure we are providing the best possible guidance and mitigation for our customers.”
Microsoft said a Chinese hacking group known as Hafnium, “a group assessed to be state-sponsored and operating out of China,” was behind the hack.
Since the company disclosed the attack, other hackers not affiliated with Hafnium began to exploit the vulnerabilities to target organizations that had not patched their systems, Microsoft said. “Microsoft continues to see increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors,” the company said.
Patching these systems is not a straightforward task. Email servers are difficult to maintain, even for security professionals, and many organizations lack the expertise to host their own servers safely. For years, Microsoft been pushing these customers to move to the cloud, where Microsoft can manage security for them. Industry experts said the security incidents could encourage customers to shift to the cloud and be a financial boon for Microsoft.
Because of the broad scope of the attack, many Exchange users are probably compromised, Mr. Adair said. “Even for people who patched this as fast as humanly possible, there’s an extremely high chance that they were already compromised.”
Category: Technology
Source: New York Times