Microsoft has blamed the Chinese government for a cyber security incident that resulted in tens of thousands of compromised e-mail servers round the world.
A sophisticated attack discovered last week on Microsoft’s e-mail system, Microsoft Exchange, is reportedly escalating into a global cyber security disaster, as hackers race to infect as many users as possible.
The Microsoft Exchange account is a work or school e-mail account, which runs on the Windows Server operating system.
The incident, which had affected over 60 000 users across the globe by the weekend, mainly US-based small and medium businesses, banks and energy suppliers, was identified by the Microsoft Threat Intelligence Centre as a Chinese state-sponsored threat actor, called Hafnium.
According to the tech giant, Hafnium, which operates from China, is a highly-skilled and sophisticated actor, which primarily targets entities in the US for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defence contractors, policy think tanks and NGOs.
Microsoft has since released security updates which it says will protect customers running Exchange Server. However, it notes that even though it has worked quickly to deploy an update for the Hafnium exploits, many nation-state actors and criminal groups are also expected to move quickly to take advantage of any unpatched systems.
“We strongly encourage all Exchange Server customers to apply these updates immediately,” says Tom Burt, Microsoft corporate VP of customer security and trust.
“Exchange Server is primarily used by business customers, and we have no evidence that Hafnium’s activities targeted individual consumers, or that these exploits impact other Microsoft products. Promptly applying today’s patches is the best protection against this attack.”
The US government’s cyber security agency issued an emergency warning last week, urging state institutions to urgently patch their systems.
Research firm FireEye says, based on its investigation, the hackers started their attack in January but escalated their efforts in recent weeks. The activity included creation of Web shells for persistent access, remote code execution and reconnaissance for endpoint security solutions.
“We have identified an array of affected victims, including US-based retailers, local governments, a university and an engineering firm. Related activity may also include a Southeast Asian government and Central Asian telecom. While the use of Web shells is common among threat actors, the parent processes, timing and victims of these files clearly indicate activity that commenced with the abuse of Microsoft Exchange,” say FireEye researchers.
As the investigation into the breach continues, the number of affected customers is expected to rise.
This is the eighth time in the past 12 months that it has publicly disclosed nation-state groups targeting institutions critical to civil society, according to Microsoft.
Other hacking activity it disclosed previously targeted healthcare organisations fighting COVID-19, political campaigns and others involved in the 2020 elections, and high-profile attendees of major policymaking conferences.
Share