The China-based government hackers have exploited a bug in Microsoft’s email server software to attack US organizations, the company said Tuesday.
Microsoft MSFT,
said a “highly skilled and sophisticated” state-sponsored group operating out of China has attempted to steal information from a number of US targets, including universities, defense companies, law firms and infectious disease researchers.
Microsoft said it has released security upgrades to fix vulnerabilities in the Exchange Server software, which is used for corporate email and calendar services, usually for larger organizations that have their own personal email servers. It does not affect personal email accounts or Microsoft’s cloud-based services.
The company said the hacking group it calls Hafnium was able to trick Exchange servers into giving it access. The hackers then pretended to be someone who should have access and created a way to control the server remotely so that they could steal data from an organization’s network.
Microsoft said the group is based in China, but operates from rented private virtual servers in the US, thus avoiding detection.
The company declined to name specific targets or how many organizations were affected.
Reston, Virginia-based cybersecurity company Volexity, which thanks Microsoft for helping to detect the intruders, said its network security monitoring began catching a suspiciously large data transfer in late January.
“They just download email and literally go to town,” said Steven Adair, the president of Volexity, who said the targets were “defense contractors, international aid and development organizations and the NGO think tank community.”
Adair said he is concerned that the hackers will accelerate their operations in the coming days before organizations can install Microsoft’s security upgrades.
“As bad as it is now, I think it’s going to get a lot worse,” he said. “This gives them a limited opportunity to exploit something. The patch doesn’t fix that if they left their back door behind. “