The hackers targeted as many victims as they could find across the internet, hitting small businesses, local governments and large credit unions, according to one cybersecurity researcher who has studied the U.S. investigation into the hacks who is not authorized to speak publicly about the matter. The flaws used by the hackers, known as zero-days, were previously unknown to Microsoft.
“We are closely tracking Microsoft’s emergency patch for previously unknown vulnerabilities in Exchange Server software and reports of potential compromises of U.S. think tanks and defense industrial base entities,” said Jake Sullivan, the White House national security adviser.
“This is the real deal,” tweeted Christopher Krebs, the former director of the U.S. Cybersecurity and Infrastructure Agency. (Mr. Krebs is not related to the cybersecurity reporter who disclosed the number of victims.)
Mr. Krebs added that companies and organizations that use Microsoft’s Exchange program should assume that they had been hacked sometime between Feb. 26 and March 3, and work quickly to install the patches released this past week by Microsoft.
Microsoft said a Chinese hacking group known as Hafnium, “a group assessed to be state-sponsored and operating out of China,” was behind the hack.
Since the company disclosed the attack, other hackers not affiliated with Hafnium began to exploit the vulnerabilities to target organizations that had not patched their systems, Microsoft said. “Microsoft continues to see increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors,” the company said.
Patching these systems is not a straightforward task. Email servers are difficult to maintain, even for security professionals, and many organizations lack the expertise to host their own servers safely. For years, Microsoft been pushing these customers to move to the cloud, where Microsoft can manage security for them. Industry experts said the security incidents could encourage customers to shift to the cloud and be a financial boon for Microsoft.