Many of those victims of the attack, which Microsoft has said was carried out by a network of suspected Chinese hackers, appear to be small businesses and state and local governments. Estimates of total world-wide victims were approximate and ranged broadly as of Friday. Tens of thousands of customers appear to have been affected, but that number could be larger, the people said. It could be higher than 250,000, one person said.
While many of those affected likely hold little intelligence value due to the targets of the attack, it is likely to have netted high-value espionage targets as well, one of the people said.
The hackers have been exploiting a series of four flaws in Microsoft’s Exchange software to break into email accounts and read messages without authorization, and to install unauthorized software, the company said. Those flaws are known as zero days among cybersecurity professionals because they relied on previously undisclosed software bugs, suggesting a high degree of sophistication by the hackers.
“It was being used in a really stealthy manner to not raise any alarm bells,” said Steven Adair, founder of the cybersecurity firm Volexity Inc., one of the companies that Microsoft credited with reporting the issue.
Microsoft publicized the attack on Tuesday and identified the culprits as a Chinese cyberespionage group that it dubbed Hafnium. The company provided a software patch to users to fix the bugs.
A few days before that happened, however, the hackers changed tactics. They abandoned stealth and began using automated software to scan the internet for vulnerable servers and infect them, Mr. Adair said. “The attackers cranked up a huge notch over this past weekend,” he said. “They’re just hitting every Exchange server they can find on the internet.”
A Microsoft spokesman said Friday the company was working with government agencies and security companies on mitigating the incident, but declined to comment on the scope of the attack. News on the attack’s scope was reported earlier by the blogger Brian Krebs.
For years, U.S. authorities have accused China of widespread hacking against American businesses and government agencies. China has denied these allegations.
The attack follows an earlier suspected Russian cyberattack, disclosed in December, on U.S. government systems and American businesses. But that attack, which involved breaking into a networking-software company called SolarWinds, was a surgical strike that broke into about 100 companies and nine government agencies. This latest incident, by contrast, was more of a shotgun blast, infecting tens of thousands of victims or more.
Security experts familiar with the matter said among the concerns with this latest attack is that incident response teams are already pushed to their limits handling that earlier, continuing problem. Microsoft has said the two attacks aren’t related.
The latest hack has prompted widespread concern within the Biden administration, as several government officials in recent days have sought to warn about its potential severity. The Cybersecurity and Infrastructure Security Agency issued a rare emergency directive this week requiring federal government agencies to immediately patch or disconnect products running Microsoft Exchange on-premises products. CISA held a call Friday with more than 4,000 critical infrastructure partners in the private sector and state and local governments encouraging them to patch their systems.
Also on Friday, White House press secretary Jen Psaki told reporters during a press briefing that the Microsoft vulnerabilities were of significant concern and “could have far-reaching impacts” and result in a “large number of victims.”
In an update to its alert, posted Thursday, CISA warned that hackers were using automated tools to scour the internet for vulnerable Exchange servers.
The security firm Symantec has identified a “handful” of hacking groups, all linked to China, behind these attacks, said Vikram Thakur, a security researcher at the company. The victims have tended to be small and medium-size organizations because many larger ones either don’t run some of the Exchange components that include these flaws or limit access to Exchange by using security tools such as virtual private networks, he said.
Users of Microsoft’s cloud-based Office 365 product are unaffected by the hack, the company said.
Mandiant, another security firm, said in a blog post this week that it had witnessed multiple instances of Microsoft Exchange Server abuse dating to January. Detected victims of the attack include U.S.-based retailers, local governments, at least one university and an engineering firm, Mandiant said.
This story has been published from a wire agency feed without modifications to the text.