US leading ‘total government response’ to apparent China-backed Microsoft hack

TThe Biden government is undertaking a “general government response” to investigate and respond to cyber attacks against Microsoft’s Exchange Server, which the Big Tech company estimated is being carried out by a sophisticated group of hackers backed by the Chinese state.

Microsoft announced that it detected “several zero-day exploits being used to attack local versions of Microsoft Exchange Server in limited and targeted attacks” last week and said that its Threat Intelligence Center attributed the “high confidence” cyber campaign to one hacker group dubbed “Hafnium.” Microsoft said the hacker group was “state-sponsored” and operated in China.

Over the weekend, the FBI said it was “aware of Microsoft’s emergency patch for previously unknown vulnerabilities in Exchange Server software, attributed to the advanced persistent threat agent known to Microsoft as Hafnium.” The agency declined to comment when asked if it meant the FBI was also evaluating whether it was a Chinese operation.

“We are undertaking a whole government response to assess and deal with the impact,” a White House official said. Washington Examiner. “The Cybersecurity and Infrastructure Agency issued an emergency directive for the agencies. High levels of the National Security Council are working to resolve the incident, working with our public and private partners and looking closely at the next steps we need to take. We will keep you updated. This is an active threat still in development, and we ask network operators to take it very seriously. ”

The FBI said it is “working closely with our interagency and private sector partners to understand the scope of the threat”.

THE BIDEN ADMINISTRATION NOTICES ABOUT THE MICROSOFT E-MAIL HACK THAT THE COMPANY BLAMES IN CHINA

The White House official said that the Biden administration is “aware that the public reports that these actors are stepping up their efforts” and that “this is often the case after public disclosure, as the attackers know they have been located and are working hard. to compromise as many victims as possible before fixing their systems. ”The official asked organizations to act quickly to fix their servers.

Last week, Microsoft said that Chinese hackers used Microsoft vulnerabilities to access email accounts and install additional malware “to facilitate long-term access to victims’ environments.” The company said that Hafnium “mainly targets entities in the United States in a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs” and that ” operates primarily on virtual rentals of private servers in the United States. ”

Microsoft Exchange Server handles the company’s email, calendar, scheduling, contact and collaboration services. The NSC warned that “patching and mitigation are not remediation if the servers have already been compromised” and said: “It is essential that any organization with a vulnerable server takes immediate steps to determine whether they have already been targeted.”

The Cybersecurity and Infrastructure Security Agency said it “is aware of the widespread domestic and international exploitation of these vulnerabilities” and “strongly recommends” that organizations run a security script “as soon as possible”. Pentagon spokesman John Kirby said on Friday that they were “taking all necessary threats to identify and remedy any possible problems related to the situation”.

Cybersecurity expert Brian Krebs reported for the first time: “At least 30,000 organizations in the United States – including a significant number of small businesses, towns, cities and local governments – have in the past few days been hacked by an unusually aggressive Chinese cyber espionage unit which focuses on stealing emails from victim organizations. ”Several other establishments soon cited sources, saying that probably tens of thousands of customers were affected.

Cybersecurity hunter The blog claimed that “the webshell that these threat agents are using is known as the ‘China Chopper’ one-liner.” Another cyber security company, FireEye, said that, in a separate environment, it saw the vulnerable Microsoft Exchange Server being exploited by a threat agent that corresponded to China’s Chopper, who claims to have “an increasing prevalence, especially among Chinese cybercriminals. ”.

White House press secretary Jen Psaki said on Friday that “this is a significant vulnerability that could have far-reaching impacts” and “this is an active threat”. She added that “we are concerned about the large number of victims and we are working with our partners to understand the scope of this.”

Last week, Microsoft executive Tom Burt called the Chinese hacking group “a highly qualified and sophisticated actor” who “mainly targets entities in the United States with the aim of extracting information from a range of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs. ”

He emphasized that “the exploits we are discussing today were in no way connected to separate SolarWinds-related attacks”.

CLICK HERE TO READ MORE FROM THE WASHINGTON EXAMINER

China’s Foreign Ministry dismissed Microsoft’s claim that China was involved in the newly discovered cyber attacks, just as Russia denied blame for the SolarWinds hack.

Source