Microsoft attack blamed on China sharply grows
Email software hack escalates into a global crisis as perpetrators automate the process.
A sophisticated attack on Microsoft Corp.’s widely used business email software is morphing into a global cybersecurity crisis, as hackers race to infect as many victims as possible before companies can secure their computer systems.
The attack, which Microsoft has said started with a Chinese governmentbacked hacking group, has claimed at least 60,000 known victims globally, a former senior U.S. official with knowledge of the investigation said. Many of them appear to be small or medium-size firms caught in a wide net the attackers cast as Microsoft worked to shut down the hack.
The European Banking Authority became one of the latest victims as it said Sunday that access to personal data through emails held on the Microsoft server may have been compromised.
Others include banks and electricity providers, as well as senior citizen homes and an ice cream company, according to Huntress, an Ellicott City, Md.-based firm that monitors the security of customers, in a blog post Friday.
One U.S. cybersecurity company that asked not to be named said its experts were working with at least 50 victims, trying to quickly determine what data the hackers may have taken while also trying to eject them.
The rapidly escalating attack came months after the SolarWinds Corp. breaches by suspected Russian cyberattackers and drew the concern of U.S. national security officials in part because the latest hackers were able to hit so many victims so quickly.
Researchers say in the final phases of the attack, the perpetrators appeared to have automated the process, scooping up tens of thousands of new victims around the world in a matter of days.
Washington is preparing its first major moves in retaliation against foreign intrusions over the next three weeks, the New York Times reported, citing unidentified officials. It plans a series of clandestine actions across Russian networks — intended to send a message to Vladimir Putin and his intelligence services — combined with economic sanctions. President Biden could issue an executive order to shore up federal agencies against Russian hacking, the newspaper reported.
“We are undertaking a whole of government response to assess and address the impact,” a White House official wrote in an email Saturday. “This is an active threat still developing and we urge network operators to take it very seriously.”
The Chinese hacking group, which Microsoft calls Hafnium, appears to have been breaking into private and government computer networks through the company’s popular Exchange email software for a number of months, initially targeting only a small number of victims, said Steven Adair, head of northern Virginiabased Volexity. The cybersecurity company helped Microsoft identify the flaws being used by the hackers for which the software giant issued a fix last week.
The result is a second cybersecurity crisis coming just months after suspected Russian hackers breached nine federal agencies and at least 100 firms through tampered updates from IT management software maker SolarWinds. Cybersecurity experts that defend the world’s computer systems expressed a growing sense of frustration.
Asked about Microsoft’s attribution of the attack to China, a Chinese foreign ministry spokesman said Wednesday that the country “firmly opposes and combats cyber attacks and cyber theft in all forms” and suggested that blaming a particular nation was a “highly sensitive political issue.”
Both the most recent incident and the SolarWinds attack show the fragility of modern networks and the ability of sophisticated state-sponsored hackers to identify hard-to-find vulnerabilities or even create them to conduct espionage.
They also involve complex cyberattacks, with an initial blast radius of large numbers of computers, which is then narrowed as the attackers focus their efforts, which can take affected organizations weeks or months to resolve.
In the case of the Microsoft bugs, simply applying the company-provided updates won’t remove the attackers from a network.
A review of affected systems is required, said Charles Carmakal, a senior vice president at FireEye Inc., the Milpitas, Calif.based cybersecurity company. And the White House emphasized the same thing, including tweets from the National Security Council urging victims to carefully comb through their computers for signs of the attackers.
Initially, the Chinese hackers appeared to be targeting high-value intelligence targets in the U.S., Adair said. About a week ago, everything changed. Other unidentified hacking groups began hitting thousands of victims over a short period, inserting hidden software that could give them access later, he said.
Adair said other hacking groups may have found the same flaws and began their own attacks — or that China may have wanted to capture as many victims as possible, then sort out which had intelligence value.
Smaller organizations are “struggling already due to COVID shutdowns — this exacerbates an already bad situation,” said Jim McMurry, founder of Milton Security Group Inc., a cybersecurity monitoring service in Southern California.
Microsoft said customers that use its cloud-based email system are not affected.
The use of automation to launch very sophisticated attacks may mark a new era in cybersecurity, one that could overwhelm the limited resources of defenders, several experts said.
Some of the initial infections appear to have been from automated scanning and installation of malware, said Alex Stamos, a cybersecurity consultant. Investigators will be looking for infections that led to hackers taking the next step and stealing data — such as email archives — and searching them for any valuable information later, he said.
“If I was running one of these teams, I would be pulling down email as quickly as possible indiscriminately and then mining them for gold,” Stamos said.