Victims of a massive global hack of Microsoft email server software – estimated in the tens of thousands by cybersecurity responders – rushed Monday to support infected systems and try to reduce the likelihood of intruders stealing data or disrupting their networks.
The White House called the hack an “active threat” and said senior national security officials are addressing it.
The breach was discovered in early January and attributed to Chinese cyber spies targeted by US think tanks. In late February, five days before Microsoft released a patch on March 2, there was an explosion of infiltrations by other intruders, piggybacking on the first breach. Victims manage the spectrum of organizations that manage email servers, from mom-and-pop retailers to law firms, municipal governments, healthcare providers and manufacturers.
Although the hack does not pose the kind of threat to national security as the more sophisticated one SolarWinds campaignWhat the Biden government blames on Russian intelligence officers could pose an existential threat to victims who failed to install the patch in time and now have hackers left in their systems. The hack poses a new challenge to the White House, which, even as it prepares to respond to the SolarWinds breach, must now grapple with a formidable and very different threat from China.
“I would say it poses a serious threat to economic security because so many small businesses can have their businesses literally destroyed by a targeted ransomware attack,” said Dmitri Alperovitch, former technical director of cybersecurity firm CrowdStrike.
He blames China for the global wave of infections that began on Feb. 26, although other researchers say it is too early to attribute them with confidence. It’s a mystery how those hackers got wind of the first breach, as no one was aware of it except for a few investigators, Alperovitch said.
After the patch was released, a third wave of infections began, an accumulation that usually accumulates in such cases as Microsoft dominates the software market and provides a single point of attack.
Cybersecurity analysts trying to get a complete picture of the hack said their analyzes match the figure of 30,000 US victims published Friday by cybersecurity blogger Brian Krebs. Alperovitch said there are an estimated 250,000 victims worldwide.
Microsoft has declined to say how many customers it says are infected.
David Kennedy, CEO of cybersecurity company TrustedSec, said hundreds of thousands of organizations could be vulnerable to the hack.
“Anyone who installed Exchange was potentially vulnerable,” he said. “It’s not all, but it’s a big percentage of them.”
Katie Nickels, intelligence director at the cybersecurity firm Red Canary, warned that installing patches won’t be enough to protect those already infected. “If you patch today, it will protect you in the future, but if the opponents are already in your system, then you have to take care of that,” she said.
A smaller number of organizations were targeted by the initial intrusion by hackers who grabbed data, stole credentials or explored within networks and left back doors at universities, defense contractors, law firms and infectious disease research centers, researchers said. Kennedy has worked with manufacturers concerned about intellectual property theft, hospitals, financial institutions and managed service providers hosting multiple corporate networks, among others.
“On a scale of 1 to 10, this is a 20,” said Kennedy. “It was essentially a skeleton key to access any company that had this Microsoft product installed.”
Asked for comment, the Chinese Embassy in Washington last week pointed to comments made by State Department spokesman Wang Wenbin who said China “resists and fights against cyber-attacks and cyber-theft in all forms” and warned that the attribution of cyber-attacks is based should be on evidence and not on “unfounded charges.”
The hack did not affect the cloud-based Microsoft 365 email and collaboration systems preferred by Fortune 500 companies and other organizations that can afford high-quality security. That highlights what some in the industry deplore as two computer classes – the security ‘haves’ and ‘have-nots’.
Ben Read, director of analysis at Mandiant, said the cybersecurity firm has never seen anyone use the hack for financial gain, “but for those affected, time is of the essence to resolve this issue.”
That is easier said than done for many victims. Many have skeleton IT staff and cannot afford a cybersecurity response – not to mention the complications of the pandemic
Fixing the problem isn’t as easy as clicking an update button on a computer screen. It requires an upgrade of an organization’s entire so-called “Active Directory”, which catalogs email users and their respective privileges.
“You don’t take your email server down lightly,” said Alperovitch, chairman of the nonprofit think tank Silverado Policy Accelerator.
Tony Cole of Attivo Networks said the sheer number of potential victims creates a perfect “smokescreen” for national hackers to hide a much smaller list of intended targets by tying up already overloaded cybersecurity officers. “There are not enough incident response teams to resolve all of this.”
Many experts were surprised and amazed at the way groups rushed to infect server installations just before Microsoft’s patch release. Kennedy, of TrustedSec, said it took Microsoft too long to release a patch, although he doesn’t think it should have informed people about it before the patch was ready.
Steven Adair of cybersecurity firm Volexity, who notified Microsoft of the initial breach, described a “massive, arbitrary exploitation” that began the weekend before the patch was released and involving groups from “many different countries, (including) criminal actors. . ”
The Cybersecurity Infrastructure and Security Agency issued an urgent warning about the hack on Wednesday, and national security adviser Jake Sullivan tweeted about it the following night.
But the White House has yet to announce a specific initiative to respond.