The Washington Post Sunday

U.S. addressing the China-linked hack of Microsoft email servers

- BY ELLEN NAKASHIMA ellen.nakashima@washpost.com

The Biden administra­tion is moving to address a global compromise by Chinese government­sponsored hackers of Microsoft email servers affecting at least 30,000 public and private entities in the United States alone, according to U.S. officials and people familiar with the matter.

So far, U.S. officials say there is no sign that federal agencies or major defense contractor­s have been hacked in the campaign that researcher­s believe began as far back as January, but they fear it could spiral into a crisis crippling many small and midsize businesses and state and local government agencies — those least able to afford it.

The broad, indiscrimi­nate nature of the compromise and the difficulty in containing the infections has caused concern among officials at the White House, National Security Agency, Pentagon and Department of Homeland Security.

National security adviser Jake Sullivan issued an unusual late night tweet Thursday urging organizati­ons using Microsoft Exchange servers to apply “ASAP” a patch the tech giant rushed out this past week to prevent new infections. On Friday, the firm added additional workaround­s for companies that had not installed the first patch.

Microsoft Exchange is one of the most commonly used nonCloud services for companies and government agencies operating their own email servers. The figure of 30,000 was first reported by blogger Brian Krebs.

The White House is looking at convening an emergency group of government agencies to address the issue, according to the officials, who spoke on the condition of anonymity to discuss internal deliberati­ons. Officials are expected to hold a meeting this coming week to consider the creation of a cyber “Unified Coordinati­on Group,” which would review the scope and severity of the situation and determine what responses would be appropriat­e.

The matter arises as the Biden administra­tion is preparing a series of measures to respond to Russia’s SolarWinds hack of federal agencies and private companies. A key component of that response will be shoring up federal cybersecur­ity.

Microsoft has been coordinati­ng with the government in both investigat­ions.

The situation is “very, very serious,” said one U.S. official.

Microsoft on Tuesday disclosed that its exchange servers had security flaws that were being exploited by a group of Chinese government hackers it dubbed “Hafnium.” The group has targeted infectious-disease researcher­s, law firms, universiti­es and think tanks, among others, for data theft, Microsoft said.

State and local government agencies also have been compromise­d, which could be significan­t if agencies that handle critical local services such as policing and health services are offline, U.S. officials said.

Hafnium built hacking tools or “exploits” taking advantage of four security holes in Microsoft software to gain access to a victim’s email server. Once inside, the hackers deposited “webshell” malware — a back door — that allowed them to control the server remotely and to return later to steal data.

Of the tens of thousands of organizati­ons that have been infected by the webshell, it’s not clear how many victims have had emails siphoned. Several “high value” targets have seen such losses, said Steven Adair, president of Volexity, a cybersecur­ity firm that tipped Microsoft to two of the four exploits.

Adair said his firm tracked the malicious activity back to early January, though researcher­s in Taiwan identified Exchange software bugs as far back as December.

For much of January and February, the Chinese theft of email seemed stealthy and targeted, Adair said. Then suddenly about a week ago, shortly before Microsoft issued its patch, the activity exploded. The hackers seemed to be dropping webshells on anyone running an Exchange server, he said. It was, he said, almost as if they suspected a patch was forthcomin­g.

Although Microsoft issued a fix Tuesday, it does not neutralize a webshell already placed on a victim’s server, which enables the hackers to sneak back in. “So there were a significan­t number of organizati­ons that are safe from new exploitati­on but not safe from a ticking time bomb that was left behind,” Adair said.

What’s concerning U.S. officials and cybersecur­ity firms alike is that more than one hacking group now appears to be taking advantage of the webshells.

There “definitely appears to be multiple Chinese [government] groups and at least one Russianlan­guage cybercrimi­nal group” active, said Allan Liska, intelligen­ce analyst at Recorded Future, a cyber threat research firm.

Even U.S. government personnel are struggling to sort out which hacker groups are doing what, and so far there is no firm attributio­n.

“It’s like a free-for-all now,” Adair said.

Researcher­s who scan the Internet for the presence of the malware are finding indication­s that up to 250,000 servers might be infected globally, said one person familiar with the matter.

Network administra­tors can remove the webshell, but the real challenge is that the vast majority of victims are organizati­ons that lack the resources of the federal government or big companies to handle the patching and incident response needed, some experts said.

Once the hackers have control of a victim’s email server, they can more easily compromise entire networks. One fear that some U.S. officials have is that criminal hackers might use that access to install ransomware on massive numbers of businesses and government agencies. That could be more disruptive to average consumers than email theft, one official said.

Newspapers in English

Newspapers from USA