The cyber security group FireEye announced late on Thursday that it found evidence that hackers exploited a flaw in a popular Microsoft email application since January for target groups in a variety of industries.
FireEye analysts wrote in a blog that the company watched the hackers – which Microsoft announced earlier this week were a Chinese state-sponsored hacker group known as “Hafnium” – exploiting vulnerabilities in Microsoft’s Exchange Server e-mail program to reach at least one FireEye client starting in January.
Since then, FireEye has found evidence that hackers have pursued a number of victims, including “United States based retailers, local governments, a university and an engineering company ”, together with a Southeast Asian government and a Central Asian telecommunications company.
The news comes two days after Microsoft said the Chinese hacking group was actively exploiting previously unknown security holes in Exchange Server to go after groups running the program.
Microsoft noted that Hafnium used to steal information from organizations, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and non-governmental organizations.
FireEye analysts wrote late on Thursday that “the activity reported by Microsoft is in line with our observations”.
“The activity we have seen, along with others in the information security industry, indicates that these threat agents are likely using Exchange Server vulnerabilities to take hold in environments,” wrote the analysts. “This activity is quickly followed by additional accesses and persistent mechanisms. As stated earlier, we have several cases in progress and will continue to provide information as we respond to intrusions. “
The federal government may also have been affected by the vulnerability of the email application, for which Microsoft released a patch earlier this week.
The Agency for Cybersecurity and Infrastructure (CISA) has issued a emergency policy requiring federal agencies to investigate for signs of compromise and to repair or disconnect from the Exchange Server program if a compromise has occurred.
Jake Sullivan
Jake Sullivan Does Biden stumble in China? Iran, hostages and déjà vu – Biden needs to do better Biden to detail the ‘script’ for partnership with Canada in a meeting with Trudeau MORE, President biden
Joe BidenThe West needs a more collaborative approach with Taiwan. Abbott’s medical consultants were not all consulted before he removed the mandate from the Texas mask. House approves George Floyd Justice in Policing Act MOREThe national security advisor, encouraged all network owners to immediately implement the Microsoft patch on Thursday night.
“We are closely monitoring Microsoft’s emergency patch for previously unknown vulnerabilities in Exchange Server software and reports of possible compromises by U.S. think tanks and defense-based entities,” Sullivan tweeted.
Former CISA director Christopher Krebs also highlighted the potential seriousness of the breach, tweeting Thursday night that “this is the real deal” and encouraging organizations running Exchange Server to enter “incident response mode”.
The newly discovered compromise occurs while the federal government is still investigating a massive cyber espionage attack in Russia, which had been underway for at least a year before the discovery.
The breach, which became known as the SolarWinds hack, involved hackers who exploited software from the SolarWinds IT group to target 18,000 of their customers. Last month, at least nine federal agencies and 100 private sector groups were compromised.
Both FireEye and Microsoft were among the groups committed as part of the hacking operation, with FireEye widely credited for drawing attention to the incident when it publicly manifested in December after its breach.