“Chinese Hacking Spree Hit an ‘Astronomical’ Number of Victims”
WIRED, March 5, 2021
By Andy Greenberg
“A single group appears to have infiltrated tens of thousands of Microsoft Exchange servers in an ongoing onslaught.”
When news hit earlier this week that Chinese hackers were actively targeting Microsoft Exchange servers, the cybersecurity community warned that the zero-day vulnerabilities they were exploiting might have allowed them to hit countless organizations around the world. Now it’s becoming clear just many email servers they hacked. By all appearances, the group known as Hafnium breached as many victims they could find across the global internet, leaving behind backdoors to return to later.
Hafnium has now exploited zero-day vulnerabilities in Microsoft’s Exchange servers’ Outlook Web Access to indiscriminately compromise no fewer than tens of thousands of email servers, according to sources with knowledge of the investigation into the hacking campaign who spoke to WIRED. The intrusions, first spotted by security firm Volexity, began as early as January 6, with a noticeable uptick starting last Friday and spiking early this week. The hackers appear to have responded to Microsoft’s patch, released Tuesday, by ramping up and automating their hacking campaign. One security researcher involved in the investigation who spoke to WIRED on the condition of anonymity put the number of hacked Exchange servers at more than 30,000 in the US alone, and hundreds of thousands worldwide, all apparently by the same group. Independent cybersecurity journalist Brian Krebs first reported that 30,000 figure Friday, citing sources who had briefed national security officials.
“It’s massive. Absolutely massive,” one former national security official with knowledge of the investigation told WIRED. “We’re talking thousands of servers compromised per hour, globally.”
In a press conference Friday afternoon, White House press secretary Jen Psaki warned anyone running the affected Exchange servers to implement Microsoft’s patch for the vulnerabilities immediately. “We are concerned that there are a large number of victims and are working with our partners to understand the scope of this,” Psaki said in a rare instance of a White House press secretary commenting on specific cybersecurity vulnerabilities. “Network owners also need to consider whether they have already been compromised and should immediately take appropriate steps.” That White House advice echoed a tweet from former Cybersecurity and Infrastructure Security Agency director Chris Krebs on Thursday night advising anyone with an exposed Exchange server to “assume compromise” and begin incident response measures to remove the hackers’ access.
About the Author:
Andy Greenberg is a senior writer for WIRED, covering security, privacy, and information freedom. He’s the author of the book Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers. The book and excerpts from it published in WIRED won a Gerald Loeb Award for International Reporting, a Sigma Delta Chi Award from the Society of Professional Journalists, two Deadline Club Awards from the New York Society of Professional Journalists, and the Cornelius Ryan Citation for Excellence from the Overseas Press Club. Greenberg works in WIRED’s New York office.
See also in Internet Salmagundi:
- China’s and Russia’s Spying Sprees Will Take Years to Unpack
- How China’s Hacking Entered a Reckless New Phase