The Biden administration is warning about cyberattacks against Microsoft’s Exchange Server, which the Big Tech company says are being carried out by a sophisticated hacker group based in China and backed by the Chinese government.
Microsoft detected “multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks” and that its Threat Intelligence Center had attributed the cyber campaign with “high confidence” to a hacker group dubbed “Hafnium,” the company announced this week. Microsoft said the hacker group was “state-sponsored” and operating out of China, an assessment it said was based on “observed victimology, tactics, and procedures.” The Microsoft Exchange Server handles the company’s email, calendar, scheduling, contact, and collaboration services.
Jake Sullivan, the national security adviser for President Biden, warned about the hack on Thursday night, tweeting, “We are closely tracking Microsoft’s emergency patch for previously unknown vulnerabilities in Exchange Server software and reports of potential compromises of U.S. think tanks and defense industrial base entities. We encourage network owners to patch ASAP.”
Microsoft said this week that the Chinese hackers used Microsoft vulnerabilities to access email accounts and to install additional malware “to facilitate long-term access to victim environments.” Microsoft said Hafnium “primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs” and that it “operates primarily from leased virtual private servers in the United States.”
CHINESE BUSINESSMAN CHARGED WITH CONSPIRING TO STEAL GE’S SEMICONDUCTOR TECH
White House press secretary Jen Psaki was asked about the Microsoft hack on Friday.
“This is a significant vulnerability that could have far-reaching impacts. First and foremost, this is an active threat, and as the national security adviser tweeted last night, everyone running these servers (government, private sector, academia) needs to act now to patch them,” Psaki said. “We are concerned that there are a large number of victims and are working with our partners to understand the scope of this. So, it’s an ongoing process. … Network owners also need to consider whether they have already been compromised and should immediately take appropriate steps.”
Psaki pointed out that the Cybersecurity and Infrastructure Security Agency issued an emergency directive to deal with the problem and added, “We’re now looking closely at the next steps we need to take. It’s still developing. We urge network operators to take it very seriously.” She did not directly answer if she believed the federal government had been affected by the Chinese hackers.
CISA warned that “successful exploitation of these vulnerabilities allows an unauthenticated attacker to execute arbitrary code on vulnerable Exchange Servers, enabling the attacker to gain persistent system access, as well as access to files and mailboxes on the server and to credentials stored on that system” and that “successful exploitation may additionally enable the attacker to compromise trust and identity in a vulnerable network.”
The CISA guidance “offers specific measures beyond just patching to determine if your systems are already compromised,” Sullivan tweeted.
Tom Burt, the corporate vice president of customer security and trust at Microsoft, wrote this week that “Hafnium operates from China, and this is the first time we’re discussing its activity.” He called the Chinese hacker group “a highly skilled and sophisticated actor” that “primarily targets entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs.”
The Microsoft executive stressed that “the exploits we’re discussing today were in no way connected to the separate SolarWinds-related attacks” and insisted that “we continue to see no evidence that the actor behind SolarWinds discovered or exploited any vulnerability in Microsoft products and services.”
Anne Neuberger, the deputy national security adviser for cyber and emerging technology who was named as the point person coordinating the U.S. government’s response to the SolarWinds breach, said in mid-February that the Biden administration’s response to the SolarWinds hack will “holistically” consider all of the “likely Russian” malign cyber actions when putting together a response to massive intrusions.
CLICK HERE TO READ MORE FROM THE WASHINGTON EXAMINER
Chinese Foreign Ministry spokesman Wang Wenbin rejected Microsoft’s claim that China was involved in the newly discovered cyberattacks.
“China firmly opposes and combats cyber attacks and cyber theft in all forms. This position is consistent and clear. China has reiterated on multiple occasions that given the virtual nature of cyberspace and the fact that there are all kinds of online actors who are difficult to trace, tracing the source of cyber attacks is a complex technical issue. It is also a highly sensitive political issue to pin the label of cyber attack to a certain government,” Wenbin said this week. “We hope that relevant media and company will adopt a professional and responsible attitude and underscore the importance to have enough evidence when identifying cyber-related incidents, rather than make groundless accusations.”
The cybersecurity firm Volexity appeared to first spot the hack, writing that it detected the “anomalous activity” in January. FireEye, a leading cybersecurity company, said it had identified “an array of affected victims including U.S.-based retailers, local governments, a university, and an engineering firm” and that “related activity may also include a Southeast Asian government and Central Asian telecom.”
