More than 20,000 US organizations have been compromised through a backdoor installed through recently patched bugs in Microsoft’s email software, a person familiar with the US government’s response on Friday said.
The hacking has already reached more places than all of the contaminated code downloaded from SolarWinds Corp, the company at the heart of another massive hacking attack that came to light in December.
According to data from the US investigation, the latest hack has spread remote access channels to credit unions, city councils and small businesses.
Tens of thousands of organizations in Asia and Europe are also affected, the data shows.
The hacks continue despite emergency patches released by Microsoft on Tuesday.
Microsoft, which had initially said the hacks consisted of “limited and targeted attacks,” declined to comment on the magnitude of the problem on Friday, but said it was working with government agencies and security companies to help customers.
It added, “Affected customers should contact our support teams for additional help and resources.”
A scan of connected devices showed that only 10% of the vulnerable had the patches installed on Friday, although the number increased.
Since installing the patch doesn’t get rid of the back doors, US officials are rushing to figure out how to notify all victims and guide them in their hunt.
Everyone involved seems to be running web versions of Outlook email client and hosting it on their own computers, rather than relying on cloud providers. That may have saved many of the largest corporations and federal government agencies, the data suggests.
The Federal Agency for Cybersecurity and Infrastructure Security did not respond to a request for comment.
Earlier on Friday, White House press secretary Jen Psaki told reporters that the vulnerabilities found in Microsoft’s widely used Exchange servers were “significant” and “could have far-reaching implications.”
“We are concerned that there are a large number of victims,” said Psaki.
Microsoft and the person who worked with the US response blamed the initial wave of attacks on a Chinese government-backed actor. A spokesman for the Chinese government said the country was not behind the invaders.
What started as a controlled attack on some classic spy targets late last year grew into a widespread campaign last month. Security officials said this implied that unless China had changed tactics, a second group would have become involved.
More attacks are expected from other hackers as the code used to take control of the mail servers spreads.
The hackers only used the back doors to reenter the infected networks and move through the infected networks in a small percentage of cases, probably less than 1 in 10, said the person who worked with the government.
“A few hundred guys are using it as soon as possible,” stealing data and installing other ways to return later, he said.
The first attack route was discovered by prominent Taiwanese cyber researcher Cheng-Da Tsai, who said he reported the flaw to Microsoft in January. He said in a blog post that he was investigating whether the information was leaked.
He did not respond to requests for further comment.