Microsoft hacking now a macro hard global cybersecurity crisis
• Companies and countries are racing to patch systems with Chinese group the prime suspect
It can’t have been a fun week for cybersecurity teams, both those working in corporates using Microsoft Exchange servers and those in the tech behemoth itself who have been frantically trying to patch things up since March 2.
Tuesday marked a week after news first broke of a handful of gaps in the Microsoft Exchange armour that have allowed hackers (or threat agents) to target tens of thousands of organisations that use the hugely popular software and now find themselves (and their client data) vulnerable or already breached.
Some reports suggest there may already be 60,000 victims, ranging from small businesses (including at least one old-age living centre and an ice-cream company) to banks and even the European Banking Authority. The latter — which collects and stores masses of sensitive banking data — recently confirmed that its e-mail servers had been targeted, but said no data had actually been obtained (dare I say, “yet”?) The potential pool of victims is huge, though, and could include military and government targets.
Microsoft has released security updates and updated script that can scan Exchange log files for indicators of compromise. It is keeping us informed via a frequently updated post that explains that the 0-day vulnerabilities have been used to “attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks … which enabled access to e-mail accounts and allowed installation of additional malware” for “long-term access to victim environments”.
Or, if you want the simple version from Krebsonsecurity. com (https://krebsonsecurity. com/), written by veteran tech journalist Brian Krebs: “The espionage group is exploiting four … flaws in Microsoft Exchange
Server e-mail software and has seeded … victim organisations worldwide with tools that give the attackers total remote control over affected systems.”
Well, that’s not ideal. Krebs has an intensely detailed account of the matter for the interested and technically inclined, including a timeline that takes us back to first detection on January 6, the same day, incidentally, as the US Capitol insurrection. Conspiracy theorists can make of that what they will.
Soon other shady types jumped in using the same weaknesses, and we now have a desperate race by companies and countries to patch these systems before they are affected. Microsoft urged customers using this tool to apply the fixes made available to them to secure their servers and data.
Still, the situation has gone from bad to worse, “morphing into a global cybersecurity crisis”, as Bloomberg puts it, which is not a slogan you’re going to put on the company marketing profile. And you know things are bad when you get a mention in a White House briefing.
The Microsoft Threat Intelligence Center has, “with a high degree of confidence”, named a Chinese hacking group called Hafnium as the culprit, and alleges it enjoys the backing of the Chinese government.
Naturally, Chinese sources responded, calling Microsoft’s accusation a “sensitive political issue” and claiming that China “firmly opposes and combats cyber attacks and cyber theft in all forms”.
So that’s the unfolding drama, but the story and the problem have been building for months. Reuters describes it as starting as a controlled attack late in 2020 against a “few classic espionage targets ”— a phrase that conjures up vague visions of Bond, James and Burberry trench coats, but is probably far more bureaucratic in nature.
This is the second major international cybersecurity crisis of its ilk recently. The first was an attack of suspected Russian origin that used software updates from SolarWinds to breach nine US federal agencies and about 18,000 other clients of SolarWinds.
Now The New York Times is reporting that the US is preparing to retaliate against these foreign state backed threat agents as well as potentially the states that back them. What forms those retaliatory actions will take isn’t immediately clear, but they are likely to be accompanied by the additional deterrent of economic sanctions.
I’d be tempted to call it a cold war — just for the cultural and historical cachet that encapsulates
it — but there’s nothing cold about it. The perpetrators are motivated, the tools sophisticated (automated attacks and all), and the stakes sky-high. It reveals, as Bloomberg so beautifully put it, “the fragility of modern networks and sophistication of state-sponsored hackers”.
Furthermore, it will have farreaching consequences not just for Microsoft, other software makers and the hacked victims — insurers and cybersecurity professionals are also scrambling for higher ground, and all of us will be hoping for a better understanding when this wave subsides.
● Thompson Davy, a freelance journalist, is an impactAFRICA fellow and WanaData member.
I’D BE TEMPTED TO CALL IT A COLD WAR — FOR THE CULTURAL AND HISTORICAL CACHET — BUT THERE ’ S NOTHING COLD ABOUT IT