Cybersecurity group FireEye announced Thursday evening that it had found evidence that hackers had been exploiting a flaw in a popular Microsoft email application to reach audiences across industries since January.
FireEye analysts wrote in a blog post that the company had observed the hackers – which Microsoft announced earlier this week that it was a Chinese state-sponsored hacking group known as ‘Hafnium’ – was exploiting vulnerabilities in the Exchange Server email. Microsoft mail program to target at least one FireEye client. from January.
Since then, FireEye has found evidence that the hackers had gone after a string of victims, including “US retailers, local governments, a university and an engineering company ”, along with a Southeast Asian government and a Central Asian telecom.
The news comes two days after Microsoft said the Chinese hacking group was actively exploiting previously unknown security flaws in Exchange Server to go after groups running the program.
Microsoft noted that Hafnium was previously known to steal information from organizations, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and non-governmental organizations.
FireEye analysts wrote Thursday evening that “the activity reported by Microsoft is consistent with our observations.”
“The activity we observed, in conjunction with others in the information security industry, indicates that these threat actors are likely to use Exchange Server vulnerabilities to gain a foothold in environments,” the analysts wrote. “This activity is quickly followed by additional access and persistent mechanisms. As previously mentioned, we have multiple pending cases and will continue to provide insight as we respond to break-ins. “
The federal government may also have been affected by the email application vulnerability, which Microsoft released a patch earlier this week.
The Cybersecurity and Infrastructure Security Agency (CISA) has one emergency directive require federal agencies to investigate signs of compromise and to patch or break the Exchange Server program if a compromise had occurred.
Jake Sullivan
Jake Sullivan A Biden Stumbles Over China? Iran, hostages and déjà vu – Biden must do better Biden to work out ‘roadmap’ for partnership with Canada in meeting with Trudeau MORE President Biden
Joe Biden The West needs a more concerted approach to Taiwan Abbott’s medical advisers weren’t all consulted before lifting Texas mask mandate House Approves George Floyd Justice in Policing Act MOREThe National Security Advisor, encouraged all network owners to immediately implement the Microsoft patch Thursday night.
“We follow Microsoft’s emergency patch for previously unknown vulnerabilities in Exchange Server software and reports of possible compromises from US think tanks and defense industrial base entities,” Sullivan tweeted
Former CISA Director Christopher Krebs also underlined the potential seriousness of the breach, tweeting Thursday night that “this is the real deal”, encouraging organizations running Exchange Server to go into “incident response mode”.
The newly discovered compromise comes as the federal government is still investigating a massive Russian cyber-espionage attack that had been going on for at least a year before it was discovered.
The breach, which has come to be known as the SolarWinds hack, involved the hackers who exploited software from IT group SolarWinds to reach up to 18,000 of its customers. As of last month, at least nine federal agencies and 100 private sector groups had been compromised.
Both FireEye and Microsoft were among the groups compromised by as part of the hacking operation, with FireEye being widely credited with drawing attention to the incident by coming out publicly in December after it was breached.