A Chinese government-linked hacking campaign revealed by Microsoft this week has ramped up rapidly. At least four other distinct hacking groups are now attacking critical flaws in Microsoft’s email software in a cyber campaign the US government describes as “widespread domestic and international exploitation” with potential impact on hundreds of thousands of victims worldwide.
Beginning in January 2021, Chinese hackers known as Hafnium began exploiting vulnerabilities in Microsoft Exchange servers. But since the company publicly revealed the campaign on Tuesday, four more groups have joined in, and the original Chinese hackers have dropped the pretense of stealth and increased the number of attacks they’re carrying out. The growing list of victims includes tens of thousands of US businesses and government offices targeted by the new groups.
“There are at least five different clusters of activity that appear to be exploiting the vulnerabilities,” says Katie Nickels, who leads an intelligence team at the cybersecurity firm Red Canary that is investigating the hacks. When tracking cyberthreats, intelligence analysts group clusters of hacking activity by the specific techniques, tactics, procedures, machines, people, and other characteristics they observe. It’s a way to track the hacking threats they face.
Hafnium is a sophisticated Chinese hacking group that has long run cyber-espionage campaigns against the United States, according to Microsoft. They are an apex predator—exactly the sort that is always followed closely by opportunistic and smart scavengers.
Activity quickly kicked into higher gear once Microsoft made its announcement on Tuesday. But exactly who these hacking groups are, what they want, and how they’re accessing these servers remain unclear. It’s possible that the original Hafnium group sold or shared their exploit code or that other hackers reverse-engineered the exploits based on the fixes that Microsoft released, Nickels explains.
“The challenge is that this is all so murky and there is so much overlap,” Nickels says. “What we’ve seen is that from when Microsoft published about Hafnium, it’s expanded beyond just Hafnium. We’ve seen activity that looks different from tactics, techniques, and procedures from what they reported on.”
By exploiting vulnerabilities in Microsoft Exchange servers, which organizations use to operate their own email services, hackers are able to create a web shell—a remotely accessible hacking tool that easily enables back-door access and control of the infected machine—that allows them to control the compromised server over the internet and then pivot to steal data from throughout their target’s network. The web shell means that even though Microsoft has issued fixes for the flaws—which only 10% of Exchange customers had applied by Friday, according to the company—the adversary still has back-door access to their targets.
Applying Microsoft’s software fixes is a crucial first step, but the total cleanup effort is going to be much more complicated for many potential victims, especially when the hackers move freely to other systems on the network.
“We are working closely with CISA [the Cybersecurity and Infrastructure Security Agency], other government agencies, and security companies, to ensure we are providing the best possible guidance and mitigation for our customers,” a Microsoft spokesperson says. “The best protection is to apply updates as soon as possible across all impacted systems. We continue to help customers by providing additional investigation and mitigation guidance. Impacted customers should contact our support teams for additional help and resources.”
With multiple groups now attacking the vulnerabilities, the hacks are expected to disproportionately affect organizations that can least afford to defend against them, like small businesses, schools, and local governments, said former US cybersecurity official Chris Krebs.
“Why, though?” Krebs asked on Twitter. “Is this a flex in the early days of the Biden admin to test their resolve? Is it an out of control cybercrime gang? Contractors gone wild?”
With potentially hundreds of thousands of victims worldwide, this Exchange hacking campaign has affected more targets than the SolarWinds hack that the US government is currently struggling to clean up. But, as with the SolarWinds hack, numbers aren’t everything: the Russian hackers behind SolarWinds were highly disciplined and went after specific high-value targets even though they had potential access to many thousands.
The same is true here. Even if the total numbers are alarming, not all compromises are catastrophic.
“All of these are not created equal,” Nickels says. “There are vulnerable Exchange servers where the door is open but we don’t know if an adversary has gone through it. There are slightly compromised servers; maybe a web shell is dropped, but nothing beyond that. Then there is the other end of the spectrum, where adversaries had follow-on activity and moved to other systems.”
It’s rare for the White House to comment on cybersecurity issues, but the Biden administration has had cause to talk a lot about hacking in its first two months in office, between the SolarWinds hack and this latest incident.
“We are concerned that there are a large number of victims and are working with our partners to understand the scope of this,” White House press secretary Jen Psaki said during a Friday afternoon press conference. “Network owners also need to consider whether they have already been compromised and should immediately take appropriate steps.”