Microsoft and the cybersecurity firm Volexity uncovered multiple software exploits meant to target users of Microsoft Exchange Server, an email management software for businesses and government organizations, according to a new report by the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday.
“The FBI and CISA assess that nation-state actors and cyber criminals are likely among those exploiting these vulnerabilities,” the joint report states, adding that the hacking activity is consistent with previous hacking linked to Chinese cyber actors.
The FBI and CISA report also notes, “Threat actors have targeted local governments, academic institutions, non-governmental organizations, and business entities in multiple industry sectors, including agriculture, biotechnology, aerospace, defense, legal services, power utilities, and pharmaceutical,” adding, “This targeting is consistent with previous targeting activity by Chinese cyber actors.”
An individual briefed on the hack told the Wall Street Journal there could be more than 250,000 victims affected by the hack worldwide.
Microsoft also disclosed the vulnerabilities and noted their likely-Chinese origins in a cybersecurity blog post last week. Microsoft labeled the Chinese hacking group “Hafnium.”
“Historically, Hafnium primarily targets entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs,” Microsoft wrote. “While Hafnium is based in China, it conducts its operations primarily from leased virtual private servers (VPS) in the United States.”
The hacking tools identified are known as Zero-Day exploits — malicious activities that find and exploit vulnerabilities before software developers notice or develop a software patch to close the vulnerability, within “zero days” of patching the vulnerability.
Microsoft has since issued patches to fix the vulnerabilities.
Veloxity founder Stepehn Adair told the Wall Street Journal that the Microsoft software exploit “was being used in a really stealthy manner to not raise any alarm bells” but that Hafnium recently changed tactics and appears to have begun using automated software to target any server that hadn’t patched over the vulnerabilities in their email servers.
“The attackers cranked up a huge notch over this past weekend,” Adair said. “They’re just hitting every Exchange server they can find on the internet.”
News of China’s likely involvement in the Microsoft Exchange hack comes after another recent report China copied NSA Zero-Day exploits and used them against the U.S. for years.