Hustling to stop global hack
Users of Microsoft email server software scramble to shore up infected systems
BOSTON — Victims of a massive global hack of Microsoft email server software — estimated in the tens of thousands by cybersecurity responders — hustled this week to shore up infected systems and try to diminish chances that intruders might steal data or hobble their networks.
The White House has called the hack an “active threat” and said senior national security officials were addressing it.
The breach was discovered in January and attributed to Chinese cyberspies targeting U.S. policy think tanks. Then in late February, five days before Microsoft issued a patch March 2, there was an explosion of infiltrations by other intruders. Victims run the spectrum of organizations that run email servers, from mom-and-pop retailers to law firms, municipal governments, health care providers and manufacturers.
While the hack doesn’t pose the kind of national security threat as the more sophisticated SolarWinds campaign, which the Biden administration blames on Russian intelligence officers, it can be an existential threat for victims who didn’t install the patch in time and now have hackers lingering in their systems.
The hack poses a new challenge for the White House, which even as it prepares to respond to the SolarWinds breach, must now grapple with a formidable threat from China.
“I would say it’s a serious economic security threat because so many small companies out there can literally have their business destroyed through a targeted ransomware attack,” said Dmitri Alperovitch, former chief technical officer of the cybersecurity firm CrowdStrike.
He blames China for the global wave of infections that began Feb. 26, though other researchers say it’s too early to confidently attribute them. It’s a mystery how those hackers got wind of the initial breach because no one knew about it except a few researchers, Alperovitch said.
After the patch was released, a third wave of infections began, a piling on that typically occurs in such cases because Microsoft dominates the software market and offers a single point of attack.
Experts trying to pull together a complete picture of the hack said their analyses concur with the figure of 30,000 U.S. victims published Friday by cybersecurity blogger Brian Krebs. Alperovitch said 250,000 global victims has been estimated.
David Kennedy, CEO of cybersecurity firm TrustedSec, said hundreds of thousands of organizations could have been vulnerable to the hack.
Katie Nickels, director of intelligence at the cybersecurity firm Red Canary, warned that installing patches won’t be enough to protect those already infected.
“If you patch today that is going to protect you going forward, but if the adversaries are already in your system then you need to take care of that,” she said.
A smaller number of organizations were targeted in the initial intrusion by hackers who grabbed data, stole credentials or explored inside networks and left backdoors at universities, defense contractors, law firms and infectious disease research centers, researchers said.
“On the scale of one to 10, this is a 20,” Kennedy sai “It was essentially a skeleton key to open up any company that had this Microsoft product installed.”