Mon, December 06, 2021


Biden administration moving to address a global compromise by Chinese and other hackers of Microsoft email servers

WASHINGTON - The Biden administration is moving to address a global compromise by Chinese government-sponsored hackers of Microsoft email servers affecting at least 30,000 public and private entities in the United States alone, according to U.S. officials and people familiar with the matter.

So far, U.S. officials say there is no sign that federal agencies or major defense contractors have been hacked in the campaign that researchers believe began as far back as January, but they fear it could spiral into a crisis crippling many small and midsize businesses and state and local government agencies - those least able to afford it.

The broad, indiscriminate nature of the compromise and the difficulty in containing the infections has caused concern among officials at the White House, National Security Agency, Pentagon and Department of Homeland Security.

National security adviser Jake Sullivan issued an unusual late night tweet Thursday urging organizations using Microsoft Exchange servers to apply "ASAP" a patch the tech giant rushed out this past week to prevent new infections. On Friday, the firm added additional workarounds for companies that had not installed the first patch.

Microsoft Exchange is one of the most commonly used non-Cloud services for companies and government agencies operating their own email servers. The figure of 30,000 was first reported by blogger Brian Krebs.

The White House is looking at convening an emergency group of government agencies to address the issue, according to the officials, who spoke on the condition of anonymity to discuss internal deliberations. Officials are expected to hold a meeting this coming week to consider the creation of a cyber "Unified Coordination Group," which would review the scope and severity of the situation and determine what responses would be appropriate.

The matter arises as the Biden administration is preparing a series of measures to respond to Russia's SolarWinds hack of federal agencies and private companies. A key component of that response will be shoring up federal cybersecurity.

Microsoft has been coordinating with the government in both investigations.

The situation is "very, very serious," said one U.S. official.

Microsoft on Tuesday disclosed that its exchange servers had security flaws that were being exploited by a group of Chinese government hackers it dubbed "Hafnium." The group has targeted infectious-disease researchers, law firms, universities and think tanks, among others, for data theft, Microsoft said.

State and local government agencies also have been compromised, which could be significant if agencies that handle critical local services such as policing and health services are offline, U.S. officials said.

Hafnium built hacking tools or "exploits" taking advantage of four security holes in Microsoft software to gain access to a victim's email server. Once inside, the hackers deposited "webshell" malware - a back door - that allowed them to control the server remotely and to return later to steal data.

Of the tens of thousands of organizations that have been infected by the webshell, it's not clear how many victims have had emails siphoned. Several "high value" targets have seen such losses, said Steven Adair, president of Volexity, a cybersecurity firm that tipped Microsoft to two of the four exploits.

Adair said his firm tracked the malicious activity back to early January, though researchers in Taiwan identified Exchange software bugs as far back as December.

For much of January and February, the Chinese theft of email seemed stealthy and targeted, Adair said. Then suddenly about a week ago, shortly before Microsoft issued its patch, the activity exploded. The hackers seemed to be dropping webshells on anyone running an Exchange server, he said. It was, he said, almost as if they suspected a patch was forthcoming. Although Microsoft issued a fix Tuesday, it does not neutralize a webshell already placed on a victim's server, which enables the hackers to sneak back in. "So there were a significant number of organizations that are safe from new exploitation but not safe from a ticking time bomb that was left behind," Adair said.

What's concerning U.S. officials and cybersecurity firms alike is that more than one hacking group now appears to be taking advantage of the webshells.

There "definitely appears to be multiple Chinese [government] groups and at least one Russian-language cybercriminal group" active, said Allan Liska, intelligence analyst at Recorded Future, a cyber threat research firm.

Even U.S. government personnel are struggling to sort out which hacker groups are doing what, and so far there is no firm attribution.

"It's like a free-for-all now," Adair said.

Researchers who scan the Internet for the presence of the malware are finding indications that up to 250,000 servers might be infected globally, said one person familiar with the matter.

Network administrators can remove the webshell, but the real challenge is that the vast majority of victims are organizations that lack the resources of the federal government or big companies to handle the patching and incident response needed, some experts said.

Once the hackers have control of a victim's email server, they can more easily compromise entire networks. One fear that some U.S. officials have is that criminal hackers might use that access to install ransomware on massive numbers of businesses and government agencies. That could be more disruptive to average consumers than email theft, one official said.

Published : March 07, 2021

By : The Washington Post · Ellen Nakashima