The Daily Beast
How Microsoft’s devastating hack in China puts us all at risk
During the Second World War, Chinese Communists cultivated opium in their base area and trafficked it into Japanese-occupied cities. The man in charge of Mao Zedong was one of the greatest spy masters of the time, Li Kenong. Although Mao later regretted cultivating the “special product”, which he called “the right thing”, the drug disturbed the enemy’s rear and benefited the economy of the Red area. Now, it appears to be applying the same strategy to the rear of the west, causing disruptions to online systems and simultaneously benefiting the Chinese economy with viruses and worms used to steal information from computer systems around the world. The latest simultaneous exploitation against thousands of organizations, released on March 2, was dubbed the Microsoft Exchange hack, exploiting servers that manage e-mail systems. The hack allows perpetrators to read messages from selected targets and venture further into infected networks. More than 60,000 organizations in the U.S. and at least 280,000 users worldwide using Microsoft Exchange for their email were hacked between February 26 and March 3, according to Chris Krebs, the former director of the Security Agency for Infrastructure and Cybersecurity. Organizations include defense contractors, universities, state and local governments, policy think tanks, infectious disease researchers and companies: anyone who has chosen to use Microsoft Exchange for their email service. This is the real deal. If your organization runs an OWA server exposed to the Internet, make the commitment between 2/26/03. Check for 8-character aspx files in C: \ inetpub wwwroot aspnet_client system_web . If you get an answer on this survey, you are now in incident response mode. https://t.co/865Q8cc1Rm— Chris Krebs (@C_C_Krebs) March 5, 2021 The unidentified organization behind the hack, assessed by Microsoft as an entity sponsored by the Chinese state, is known by the code name HAFNIUM. The hack allowed unauthorized access to entire email systems and subsequent access to connected databases that store classified information, trade secrets, the wide range of other proprietary information and personally identifiable information, such as names, addresses, phone numbers. social security and so it is useful for identity theft. Named after a chemical element discovered in 1923, HAFNIUM is a new activity and has not yet been clearly identified to the point of receiving a cryptonym like “TURBINE PANDA”, the name given to cyber espionage activities at the infamous Jiangsu State Security Bureau. it is linked to the 2014 OPM hack, another massive data breach, and to the case of Yanjun Xu, the State Security officer extradited to the USA from Belgium for attempting to steal GE’s advanced jet engine technology. Bad actors in China and beyond, working on behalf of intelligence services or criminal organizations, are expected to quickly develop “proof that HAFNIUM exploits of concept”, that is, to show that they can use the vulnerability to infiltrate a target system, performing benign tasks, such as opening the calculator or moving the cursor. From there, it’s a small step to transform malware exploitation. According to an industry source, several other Chinese hacker groups may have used the same zero-day vulnerabilities as HAFNIUM. Criminal organizations outside China have already deployed ransomware using the vulnerability just nine days after being discovered, faster than in previous cases. This will further challenge cybersecurity detectives in their attempts to attribute the attacks to specific entities. The situation is so toxic that the Biden administration issued a public warning on March 12 that it organizes them Organizations “have hours, not days” to update servers exposed with software patches already issued by Microsoft. Ordinary users may have noticed two long updates from Microsoft last week to eliminate vulnerabilities. The fact that Microsoft has identified HAFNIUM as a Chinese state-sponsored actor indicates that Beijing’s security services, probably the Ministry of State Security (MSS), continue to seek massive data collection, such as the APT exploitation 3 2017, assigned to the Guangdong State Security Department. It is no surprise that China’s malicious multi-stage HAFNIUM operation against Microsoft Exchange servers bears some operational resemblance to the SolarWinds Da Russia attack. Both rely on the widespread use of a targeted system, that is, Solar Winds and Microsoft Exchange, as the vector to achieve the real objective: the tens of thousands of users who have confidential information, such as US defense production data, projects of weapon systems, useful trade secrets for China’s latest Five Year Plan and the emails of Beijing’s alleged political enemies. These intelligence goals resemble the targets of Russian and Chinese communist intelligence agencies in the past century. From the late 1920s to the late 1950s, the Russian and Communist China spy services shared selected information about their common enemies: Japan and Germany in World War II, the United States and its allies at the start of the Cold War. It remains to be seen whether evidence emerges of modern cooperation between Moscow and Beijing, whose relations have steadily improved since the collapse of the Soviet Union in 1991, to research and carry out cyber attacks. Although it is a tenuous link, evidence emerged on March 8 that hackers in China targeted SolarWinds customers in an operation different from the related Russian attacks. These explorations underline how the large-scale exploitation of computer networks in the 21st century reshaped the collection of technical intelligence. and not just among the superpowers. During the Cold War, useful signal intelligence operations required the resources of an advanced industrial state. Now, the advantage of conducting massive and devastating hacks belongs to any player, big or small, who has the best software developers. The new battleground, with its potential for attacks on power grids, hospitals and sensitive facilities such as nuclear power plants, puts entire populations in significant danger. Although individual users may feel helpless in this Black Mirror scenario, they have several easy solutions at their fingertips that anyone, technical or otherwise, can employ. The first step is to enable two-factor authentication at application startup whenever possible. This makes it difficult for third parties to intrude into your account if they were able to steal your password. Second, and the most common and yet commonly ignored advice: never click on links in emails unless you are sure they are legitimate. That’s how opponents have access to the Pentagon’s computers over and over again. No. Click. Unless you want to end up as Hillary Clinton’s campaign president, John Podesta, with his e-mails hacked and shared with the world. Third, users who exchange confidential information, in particular, must employ a virtual private network (VPN) to hide their traffic. Nowadays, why not hide each keystroke and search the web from prying eyes? Fourth, never postpone software updates. There is a large international market not only for zero-day vulnerabilities, but also for one-day (publicly known and fixed) vulnerabilities. Why? A high percentage of users skip updates, leaving themselves open to known exploits already publicly shared worldwide on Github, the open cloud-based software sharing service. As soon as an exploit is posted on Github, anyone can use it. Criminals then go after easier fruits, including the large number of people who don’t care about software updates and patches. This includes especially those who use pirated software. Formerly a cheap alternative, pirated software has become the Typhoid Mary of digital space. Do you need some motivation to do the right things? Take a look at This is how they tell me the world ends, a frightening exposure to the global cyber weapons market that is partially fueled by US taxpayer dollars. China is certainly watching. Co-published with SpyTalk, where Jeff Stein leads a team of veteran investigative reporter stars, writers and subject matter experts who will take you behind the scenes of the state of national security. Sign up for full access to the newsletter and website. Read more at The Daily Beast. Read our top stories in your inbox every day. Subscribe now! Daily Beast Membership: Beast Inside goes deeper into the stories that matter to you. To know more.