Victims of a massive global hack of Microsoft email server software — estimated in the tens of thousands by cybersecurity responders — hustled Monday to shore up infected systems and try to diminish chances that intruders might steal data or hobble their networks.
The White House has called the hack an “active threat” and said senior national security officials were addressing it.
The breach was discovered in early January and attributed to Chinese cyber spies targeting U.S. policy think tanks. Then in late February, five days before Microsoft issued a patch on March 2, there was an explosion of infiltrations by other intruders, piggybacking on the initial breach. Victims run the spectrum of organizations that run email servers, from mom-and-pop retailers to law firms, municipal governments, healthcare providers, and manufacturers.
While the hack doesn’t pose the kind of national security threat as the more sophisticated SolarWinds campaign, which the Biden administration blames on Russian intelligence officers, it can be an existential threat for victims who didn’t install the patch in time and now have hackers lingering in their systems. The hack poses a new challenge for the White House, which even as it prepares to respond to the SolarWinds breach, must now grapple with a formidable and very different threat from China.
“I would say it’s a serious economic security threat because so many small companies out there can literally have their business destroyed through a targeted ransomware attack,” said Dmitri Alperovitch, former chief technical officer of the cybersecurity firm CrowdStrike.
He blames China for the global wave of infections that began February 26, though other researchers say it’s too early to confidently attribute them. It’s a mystery how those hackers got wind of the initial breach because no one knew about this except a few researchers, Alperovitch said.
After the patch was released, a third wave of infections began, a piling on that typically occurs in such cases because Microsoft dominates the software market and offers a single point of attack.
Cybersecurity analysts trying to pull together a complete picture of the hack said their analyses concur with the figure of 30,000 U.S. victims published Friday by cybersecurity blogger Brian Krebs. Alperovitch said about 250,000 global victims has been estimated.
Microsoft has declined to say how many customers it believes are infected.
David Kennedy, CEO of cybersecurity firm TrustedSec, said hundreds of thousands of organizations could have been vulnerable to the hack.
“Anybody that had Exchange installed was potentially vulnerable,” he said. “It’s not every single one but it’s a large percentage of them.”
Katie Nickels, director of intelligence at the cybersecurity firm Red Canary, warned that installing patches won’t be enough to protect those already infected. “If you patch today that is going to protect you going forward but if the adversaries are already in your system then you need to take care of that,” she said.
A smaller number of organizations were targeted in the initial intrusion by hackers who grabbed data, stole credentials, or explored inside networks and left backdoors at universities, defense contractors, law firms and infectious-disease research centers, researchers said. Among those Kennedy has been working with are manufacturers worried about intellectual property theft, hospitals, financial institutions and managed service providers who host multiple company networks.
“On the scale of one to 10, this is a 20,” Kennedy said. “It was essentially a skeleton key to open up any company that had this Microsoft product installed.”
Asked for comment, the Chinese embassy in Washington pointed to remarks last week from Foreign Ministry spokesperson Wang Wenbin saying that China “firmly opposes and combats cyberattacks and cyber theft in all forms” and cautioning that attribution of cyberattacks should be based on evidence and not “groundless accusations.”
The hack did not affect the cloud-based Microsoft 365 email and collaboration systems favored by Fortune 500 companies and other organizations that can afford quality security. That highlights what some in the industry lament as two computing classes — the security “haves” and “have-nots.”
Ben Read, director of analysis at Mandiant, said the cybersecurity firm has not seen anyone leverage the hack for financial gain, “but for folks out there who are affected time is of the essence in terms of patching this issue.”
That is easier said than done for many victims. Many have skeleton IT staff and can’t afford an emergency cybersecurity response — not to mention the complications of the pandemic.
Fixing the problem isn’t as simple as clicking an update button on a computer screen. It requires upgrading an organization’s entire so-called “Active Directory,” which catalogues email users and their respective privileges.
“Taking down your e-mail server is not something you do lightly,” said Alperovitch, who chairs the nonprofit Silverado Policy Accelerator think tank.
Tony Cole of Attivo Networks said the huge number of potential victims creates a perfect “smokescreen” for nation-state hackers to hide a much smaller list of intended targets by tying up already overstretched cybersecurity officials. “There’s not enough incident response teams to handle all of this.”
Many experts were surprised and perplexed at how groups rushed to infect server installations just ahead of Microsoft’s patch release. Kennedy, of TrustedSec, said it took Microsoft too long to get a patch out, though he does not think it should have notified people about it before the patch was ready.
Steven Adair of the cybersecurity firm Volexity, which alerted Microsoft to the initial intrusion, described a “mass, indiscriminate exploitation” that began the weekend before the patch was released and included groups from “many different countries, (including) criminal actors.”
The Cybersecurity Infrastructure and Security Agency issued an urgent alert on the hack last Wednesday and National Security Adviser Jake Sullivan tweeted about it Thursday evening.
But the White House has yet to announce any specific initiative for responding.
By Frank Bajak, Eric Tucker, and Matt O’Brien for the Associated Press. Bajak reported from Boston, Massachusetts; Tucker reported from Washington, D.C.; and O’Brien reported from Providence, Rhode Island. AP writer Alan Suderman contributed from Richmond, Virginia.