Hackers breach thousands of Microsoft customers around the world

0:00
play article
Subscribers can listen to this article
Microsoft has warned that its email product Exchange had been compromised.
Microsoft has warned that its email product Exchange had been compromised.
SOPA Imagines/Getty Images
  • Microsoft says the attach started with a Chinese government-backed hacking group.
  • The rapidly escalating attack has drawn the concern of US national security officials, in part because the hackers were able to hit so many victims so quickly.
  • Both incident, together with the recent SolarWinds attack, shows the fragility of modern networks and sophistication of state-sponsored hackers.


A sophisticated attack on Microsoft’s widely used business email software is morphing into a global cybersecurity crisis, as hackers race to infect as many victims as possible before companies can secure their computer systems.

The attack, which Microsoft has said started with a Chinese government-backed hacking group, has so far claimed at least 60 000 known victims globally, according to a former senior US official with knowledge of the investigation. Many of them appear to be small or medium-sized businesses caught in a wide net the attackers cast as Microsoft worked to shut down the hack.

Victims identified so far include banks and electricity providers, as well as senior citizen homes and an ice cream company, according to Huntress, a Ellicott City, Maryland-based firm that monitors the security of customers, in a blog post Friday.

One US cybersecurity company which asked not to be named said its experts alone were working with at least 50 victims, trying to quickly determine what data the hackers may have taken while also trying to eject them.

The rapidly escalating attack drew the concern of US national security officials, in part because the hackers were able to hit so many victims so quickly. Researchers say in the final phases of the attack, the hackers appeared to have automated the process, scooping up tens of thousands of new victims around the world in a matter of days.

“We are undertaking a whole of government response to assess and address the impact,” a White House official wrote in an email on Saturday. “This is an active threat still developing and we urge network operators to take it very seriously.”

The Chinese hacking group, which Microsoft calls Hafnium, appears to have been breaking into private and government computer networks through the company’s popular Exchange email software for a number of months, initially targeting only a small number of victims, according to Steven Adair, head of the northern Virginia-based Volexity. The cybersecurity company helped Microsoft identify the flaws being used by the hackers for which the software giant issued a fix on Tuesday.

The result is a second cybersecurity crisis coming just months after suspected Russian hackers breached nine federal agencies and at least 100 companies through tampered updates from IT management software maker SolarWinds LLC. Cybersecurity experts that defend the world’s computer systems expressed a growing sense of frustration and exhaustion.

‘Getting Tired’

“The good guys are getting tired,” said Charles Carmakal, a senior vice president at FireEye, the Milpitas, California-based cybersecurity company.

Asked about Microsoft’s attribution of the attack to China, a Chinese foreign ministry spokesman said Wednesday that the country “firmly opposes and combats cyber attacks and cyber theft in all forms” and suggested that blaming a particular nation was a “highly senstive political issue.”

Both the most recent incident and the SolarWinds attack show the fragility of modern networks and sophistication of state-sponsored hackers to identify hard-to-find vulnerabilities or even create them to conduct espionage. They also involve complex cyberattacks, with an initial blast radius of large numbers of computers which is then narrowed as the attackers focus their efforts, which can take affected organizations weeks or months to resolve.

In the case of the Microsoft bugs, simply applying the company-provided updates won’t remove the attackers from a network. A review of affected systems is required, Carmakal said. And the White House emphasized the same thing, including tweets from the National Security Council urging the growing list of victims to carefully comb through their computers for signs of the attackers.

Initially, the Chinese hackers appeared to be targeting high value intelligence targets in the US, Adair said. About a week ago, everything changed. Other unidentified hacking groups began hitting thousands of victims over a short period, inserting hidden software that could give them access later, he said.

‘Mass Exploitation’

“They went to town and started doing mass exploitation - indiscriminate attacks compromising exchange servers, literally around the world, with no regard to purpose or size or industry,” Adair said. “They were hitting any and every server that they could.”

Adair said that other hacking groups may have found the same flaws and began their own attacks - or that China may have wanted to capture as many victims as possible, then sort out which had intelligence value.

Either way, the attacks were so successful - and so rapid - that the hackers appear to have found a way to automate the process. “If you are running an Exchange server, you most likely are a victim,” he said.

Data from other security companies suggest that the scope of the attacks may not end up being quite that bad. Researchers from Huntress examined about 3 000 vulnerable servers on its partners’ networks and found about 350 infections - or just over 10%.

While the SolarWinds hackers infected organisations of all sizes, many of the latest batch of victims are small-to medium-sized business and local government agencies. Organisations that could be most impacted are those that have an email server that’s running the vulnerable software and exposed directly to the internet, a risky setup that larger ones usually avoid.

Smaller organisations are “struggling already due to Covid shutdowns - this exacerbates an already bad situation,” said Jim McMurry, founder of Milton Security Group , a cybersecurity monitoring service in Southern California. “I know from working with a few customers that this is consuming a great deal of time to track down, clean and ensure they were not affected outside of the initial attack vector.”

McMurry said the issue is “very bad” but added that the damage should be mitigated somewhat by the fact that “this was patchable, it was fixable.”

Microsoft said customers that use its cloud-based email system are not affected.The use of automation to launch very sophisticated attacks may mark a new, frightening era in cybersecurity, one that could overwhelm the limited resources of defenders, several experts said.

Some of the initial infections appear to have been the result of automated scanning and installation of malware, said Alex Stamos, a cybersecurity consultant.

Investigators will be looking for infections that led to hackers taking the next step and stealing data - such as e-mail archives - and searching them for any valuable information later, he said. “If I was running one of these teams, I would be pulling down email as quickly as possible indiscriminately and then mining them for gold,” Stamos said.

We live in a world where facts and fiction get blurred
In times of uncertainty you need journalism you can trust. For only R75 per month, you have access to a world of in-depth analyses, investigative journalism, top opinions and a range of features. Journalism strengthens democracy. Invest in the future today.
Subscribe to News24
USD/ZAR
14.42
(+0.2)
GBP/ZAR
19.86
(+0.1)
EUR/ZAR
17.27
(+0.2)
AUD/ZAR
11.12
(+0.1)
JPY/ZAR
0.13
(+0.2)
Gold
1,741.91
(+0.3)
Silver
25.50
(+0.3)
Platinum
1,177.00
(+0.3)
Brent Crude
66.58
(+4.6)
Palladium
2,700.00
(+0.8)
All Share
67,812
(0.0)
Top 40
62,084
(0.0)
Financial 15
12,163
(0.0)
Industrial 25
88,847
(0.0)
Resource 10
69,024
(0.0)
All JSE data delayed by at least 15 minutes Iress logo
Company Snapshot
Voting Booth
Please select an option Oops! Something went wrong, please try again later.
Results
Yes, and I've gotten it.
21% - 1267 votes
No, I did not.
51% - 3141 votes
My landlord refused
28% - 1692 votes
Vote