More than 20,000 American organizations have been compromised through a backdoor installed through recently fixed flaws in Microsoft’s email software, said a person familiar with the U.S. government’s response on Friday.
Hacking has now reached more places than all the corrupted code downloaded from SolarWinds Corp, the company at the center of another massive wave of hackers discovered in December.
The latest hack left channels for remote access scattered among credit unions, city halls and small businesses, according to records from the American investigation.
Tens of thousands of organizations in Asia and Europe have also been affected, the records show.
The hacks continue, despite the emergency patches released by Microsoft on Tuesday.
Microsoft, which initially said the hacks consisted of “limited, targeted attacks”, declined to comment on the scale of the problem on Friday, but said it was working with government agencies and security companies to provide help to customers.
He added, “Affected customers should contact our support teams for additional help and resources.”
A scan of connected devices showed that only 10% of the vulnerable had installed the patches on Friday, although the number was increasing.
Since installing the patch does not eliminate the back doors, American officials are rushing to find out how to notify all victims and guide them in their hunt.
All those affected seem to run Web versions of the Outlook email client and host them on their own machines, rather than relying on cloud providers. This may have spared many of the largest companies and agencies in the federal government, the records suggest.
The Federal Agency for Cybersecurity and Infrastructure did not respond to a request for comment.
Earlier on Friday, White House press secretary Jen Psaki told reporters that the vulnerabilities found in Microsoft’s widely used Exchange servers are “significant” and “can have far-reaching impacts”.
“We are concerned about the large number of victims,” said Psaki.
Microsoft and the person working on the US response blamed the initial wave of attacks on an actor supported by the Chinese government. A Chinese government spokesman said the country was not behind the intrusions.
What started as a controlled attack at the end of last year against some classic espionage targets has grown into a widespread campaign last month. Security officials said that this implies that unless China changes tactics, a second group may have been involved.
More attacks are expected from other hackers as the code used to take control of the email servers spreads.
Hackers only used back doors to re-enter and circulate through infected networks in a small percentage of cases, probably less than 1 in 10, said the person who works with the government.
“A few hundred guys are exploiting them as fast as they can,” stealing data and installing other ways to return later, he said.
The initial route of attack was discovered by prominent Taiwanese cyber researcher Cheng-Da Tsai, who said he reported the failure to Microsoft in January. He said on a blog that he was investigating whether the information was leaked.
He did not respond to requests for additional comments.