[ad_1]
- Microsoft says the attachment started with a group of hackers backed by the Chinese government.
- The rapidly escalating attack has raised the concern of US national security officials, in part because hackers were able to target so many victims so quickly.
- Both incidents, along with the recent SolarWinds attack, show the fragility of modern networks and the sophistication of state-sponsored hackers.
A sophisticated attack on Microsoft’s widely used business email software is morphing into a global cybersecurity crisis as hackers rush to infect as many victims as possible before companies can protect their computer systems.
The attack, which Microsoft has said began with a group of hackers backed by the Chinese government, has so far claimed at least 60,000 known victims worldwide, according to a former senior US official with knowledge of the investigation. Many of them appear to be small or medium-sized companies caught in a vast web that the attackers launched while Microsoft was working to shut down the hack.
Victims identified so far include banks and electricity providers, as well as nursing homes and an ice cream company, according to Huntress, an Ellicott City, Maryland-based company that oversees customer safety, in a blog post on Friday.
An American cybersecurity company that asked not to be named said its experts alone were working with at least 50 victims, trying to quickly determine what data the hackers may have taken while trying to evict them.
The rapid escalation of the attack raised the concern of US national security officials, in part because hackers were able to target so many victims so quickly. Investigators say that in the final phases of the attack, hackers appeared to have automated the process, capturing tens of thousands of new victims around the world in a matter of days.
“We are conducting an entire government response to assess and address the impact,” a White House official wrote in an email Saturday. “This is an active threat that is still developing and we urge network operators to take it very seriously.”
The Chinese hacking group, which Microsoft calls Hafnium, appears to have been breaking into private and government computer networks via the company’s popular Exchange email software for several months, initially targeting only a small number of victims, according to Steven Adair, director of Volexity, based in Northern Virginia. The cybersecurity company helped Microsoft identify flaws being used by hackers for which the software giant issued a fix on Tuesday.
The result is a second cybersecurity crisis that comes just months after suspected Russian hackers breached nine federal agencies and at least 100 companies through rigged updates from IT management software maker SolarWinds LLC. Cybersecurity experts defending the world’s computer systems expressed a growing sense of frustration and exhaustion.
‘I am getting tired’
“The good guys are getting tired,” said Charles Carmakal, senior vice president of FireEye, the Milpitas, California-based cybersecurity company.
When asked about Microsoft’s attribution of the attack on China, a spokesman for the Chinese Foreign Ministry said on Wednesday that the country “strongly opposes and fights cyberattacks and cyber theft in all its forms” and suggested blaming to a particular nation was a “very sensitive political issue.”
Both the most recent incident and the SolarWinds attack show the fragility of modern networks and the sophistication of state-sponsored hackers to identify hard-to-find vulnerabilities or even create them for spying. They also involve complex cyberattacks, with an initial blast radius of a large number of computers then shrinking as attackers concentrate their efforts, which can take affected organizations weeks or months to resolve.
In the case of Microsoft bugs, simply applying company-provided updates will not remove attackers from a network. A review of the affected systems is required, Carmakal said. And the White House emphasized the same, including tweets from the National Security Council urging the growing list of victims to carefully check their computers for signs of attackers.
Initially, Chinese hackers appeared to target high-value intelligence targets in the US, Adair said. About a week ago, everything changed. Other groups of unidentified hackers began attacking thousands of victims in a short period, inserting hidden software that could give them access later, he said.
‘Mass exploitation’
“They went to the city and started massive exploitation – indiscriminate attacks that compromise exchange servers, literally all over the world, regardless of purpose, size or industry,” Adair said. “They were attacking each and every server that they could.”
Adair said that other hacker groups may have found the same flaws and started their own attacks, or that China may have wanted to capture as many victims as possible and then determine which one had intelligence value.
Either way, the attacks were so successful, and so fast, that hackers seem to have found a way to automate the process. “If you are running an Exchange server, you are most likely a victim,” he said.
Data from other security companies suggests that the scope of the attacks may not be that bad. Huntress researchers examined around 3,000 vulnerable servers on their partners’ networks and found around 350 infections, or just over 10%.
While SolarWinds hackers infected organizations of all sizes, many of the latest victims are small and medium-sized businesses and local government agencies. Organizations that could be hardest hit are those that have an email server running the vulnerable software and directly exposed to the Internet, a risky setup that larger companies generally avoid.
Smaller organizations “are already struggling because of the Covid shutdowns; this exacerbates an already bad situation,” said Jim McMurry, founder of Milton Security Group, a cybersecurity monitoring service in Southern California. “I know from working with some clients that this is consuming a great deal of time to track, clean, and ensure they are not affected outside of the initial attack vector.
McMurry said the problem is “very serious” but added that the damage should be mitigated a bit by the fact that “this was fixable, it could be fixed.
Microsoft said customers using its cloud-based email system are not affected. Using automation to launch highly sophisticated attacks may mark a terrifying new era in cybersecurity, one that could overwhelm defenders’ limited resources, several experts said.
Some of the initial infections appear to have been the result of automated malware scanning and installation, said Alex Stamos, a cybersecurity consultant.
Researchers will look for infections that led hackers to take the next step and steal data, such as email files, and search for valuable information later, he said. “If you were running one of these teams, you would be getting the email as quickly as possible indiscriminately and then mining for gold,” Stamos said.