Chinese Government-Backed Hackers Go Global With Microsoft Exchange Breach

Establishment media has kicked the new China hacking narrative into high gear, as the Washington Post reports that CCP-backed hackers have gone global with their Microsoft Exchange exploit.

The attack has claimed at least 60,000 victims globally – many of which have been small and medium-sized businesses, banks, electricity providers – while targets have also included “high value intelligence targets in the US.”

On Sunday, the European Banking Authority announced that it had become one of the latest victims, after access to personal data contained on the Microsoft server may have been compromised.

Others identified so far include banks and electricity providers, as well as senior citizen homes and an ice cream company, according to Huntress, a Ellicott City, Maryland-based firm that monitors the security of customers, in a blog post Friday. One U.S. cybersecurity company which asked not to be named said its experts alone were working with at least 50 victims, trying to quickly determine what data the hackers may have taken while also trying to eject them. -WaPo

The Chinese hacking group, Hafnium, had been breaking into private and government computer networks for months – targeting a small number of victims at first, according to Steven Adair, head of northern Virginia-based cybersecurity company, Volexity.

Last week, however, “everything changed” when other unidentified hacking groups allegedly began hitting thousands of victims over a short period with hidden software that can give them access later.

“They went to town and started doing mass exploitation — indiscriminate attacks compromising exchange servers, literally around the world, with no regard to purpose or size or industry,” said Adair.

Asked to respond to Microsoft’s attribution of the attack to China, a Chinese foreign ministry spokesman told the Post that the country “firmly opposes and combats cyber attacks and cyber theft in all forms,” and that blaming a particular nation was a “highly sensitive political issue.”

The attack comes months after suspected Russian hackers breached nine federal agencies and at least 100 companies through an exploit in IT management software company SolarWinds’ software updates.

“The good guys are getting tired,” said FireEye, Inc. senior vice president Charles Carmakal.

Both the most recent incident and the SolarWinds attack show the fragility of modern networks and sophistication of state-sponsored hackers to identify hard-to-find vulnerabilities or even create them to conduct espionage. They also involve complex cyberattacks, with an initial blast radius of large numbers of computers which is then narrowed as the attackers focus their efforts, which can take affected organizations weeks or months to resolve.

In the case of the Microsoft bugs, simply applying the company-provided updates won’t remove the attackers from a network. A review of affected systems is required, Carmakal said. And the White House emphasized the same thing, including tweets from the National Security Council urging the growing list of victims to carefully comb through their computers for signs of the attackers. Initially, the Chinese hackers appeared to be targeting high value intelligence targets in the U.S., Adair said. About a week ago, everything changed. Other unidentified hacking groups began hitting thousands of victims over a short period, inserting hidden software that could give them access later, he said. -WaPo

“If you are running an Exchange server, you most likely are a victim,” said Adair, after hacking groups began automating the exchange exploit.

According to Milton Security Group founder Jim McMurry, “I know from working with a few customers that this is consuming a great deal of time to track down, clean and ensure they were not affected outside of the initial attack vector.”

Users of Microsoft’s cloud-based email services are not affected.