Skip to Content
Global News Select

China-Linked Hack Hits Tens of Thousands of U.S. Microsoft Customers

By Robert McMillan and Dustin Volz 

A cyberattack on Microsoft Corp.'s Outlook email software is believed to have infected tens of thousands of businesses, government offices and schools in the U.S., according to people briefed on the matter.

Many of those victims of the attack, which Microsoft has said was carried out by a network of suspected Chinese hackers, appear to be small businesses and state and local governments. Estimates of total world-wide victims were approximate and ranged broadly as of Friday. Tens of thousands of customers appear to have been affected, but that number could be larger, the people said. It could be higher than 250,000, one person said.

While many of those affected likely hold little intelligence value due to the targets of the attack, it is likely to have netted high-value espionage targets as well, one of the people said.

The hackers have been exploiting a series of four flaws in Microsoft's Exchange software to break into email accounts and read messages without authorization, and to install unauthorized software, the company said. Those flaws are known as zero days among cybersecurity professionals because they relied on previously undisclosed software bugs, suggesting a high degree of sophistication by the hackers.

"It was being used in a really stealthy manner to not raise any alarm bells," said Steven Adair, founder of the cybersecurity firm Volexity Inc., one of the companies that Microsoft credited with reporting the issue.

Microsoft publicized the attack on Tuesday and i dentified the culprits as a Chinese cyberespionage group that it dubbed Hafnium. The company provided a software patch to users to fix the bugs.

A few days before that happened, however, the hackers changed tactics. They abandoned stealth and began using automated software to scan the internet for vulnerable servers and infect them, Mr. Adair said. "The attackers cranked up a huge notch over this past weekend," he said. "They're just hitting every Exchange server they can find on the internet."

A Microsoft spokesman said Friday the company was working with government agencies and security companies on mitigating the incident, but declined to comment on the scope of the attack. News on the attack's scope was reported earlier by the blogger Brian Krebs.

For years, U.S. authorities have accused China of widespread hacking against American businesses and government agencies. China has denied these allegations.

The attack follows an earlier suspected Russian cyberattack, disclosed in December, on U.S. government systems and American businesses. But that attack, which involved breaking into a networking-software company called SolarWinds Inc., was a surgical strike that broke into about 100 companies and nine government agencies. This latest incident, by contrast, was more of a shotgun blast, infecting tens of thousands of victims or more.

Security experts familiar with the matter said among the concerns with this latest attack is that incident response teams are already pushed to their limits handling that earlier, continuing problem. Microsoft has said the two attacks aren't related.

The latest hack has prompted widespread concern within the Biden administration, as several government officials in recent days have sought to warn about its potential severity. The Cybersecurity and Infrastructure Security Agency issued a rare emergency directive this week requiring federal government agencies to immediately patch or disconnect products running Microsoft Exchange on-premises products. CISA held a call Friday with more than 4,000 critical infrastructure partners in the private sector and state and local governments encouraging them to patch their systems.

Also on Friday, White House press secretary Jen Psaki told reporters during a press briefing that the Microsoft vulnerabilities were of significant concern and "could have far-reaching impacts" and result in a "large number of victims."

In an update to its alert, posted Thursday, CISA warned that hackers were using automated tools to scour the internet for vulnerable Exchange servers.

The security firm Symantec has identified a "handful" of hacking groups, all linked to China, behind these attacks, said Vikram Thakur, a security researcher at the company. The victims have tended to be small and medium-size organizations because many larger ones either don't run some of the Exchange components that include these flaws or limit access to Exchange by using security tools such as virtual private networks, he said.

Users of Microsoft's cloud-based Office 365 product are unaffected by the hack, the company said.

Mandiant, another security firm, said in a blog post this week that it had witnessed multiple instances of Microsoft Exchange Server abuse dating to January. Detected victims of the attack include U.S.-based retailers, local governments, at least one university and an engineering firm, Mandiant said.

Write to Robert McMillan at Robert.Mcmillan@wsj.com and Dustin Volz at dustin.volz@wsj.com

 

(END) Dow Jones Newswires

March 06, 2021 00:34 ET (05:34 GMT)

Copyright (c) 2021 Dow Jones & Company, Inc.

Transparency is how we protect the integrity of our work and keep empowering investors to achieve their goals and dreams. And we have unwavering standards for how we keep that integrity intact, from our research and data to our policies on content and your personal data.

We’d like to share more about how we work and what drives our day-to-day business.

We sell different types of products and services to both investment professionals and individual investors. These products and services are usually sold through license agreements or subscriptions. Our investment management business generates asset-based fees, which are calculated as a percentage of assets under management. We also sell both admissions and sponsorship packages for our investment conferences and advertising on our websites and newsletters.

How we use your information depends on the product and service that you use and your relationship with us. We may use it to:

  • Verify your identity, personalize the content you receive, or create and administer your account.
  • Provide specific products and services to you, such as portfolio management or data aggregation.
  • Develop and improve features of our offerings.
  • Gear advertisements and other marketing efforts towards your interests.

To learn more about how we handle and protect your data, visit our privacy center.

Maintaining independence and editorial freedom is essential to our mission of empowering investor success. We provide a platform for our authors to report on investments fairly, accurately, and from the investor’s point of view. We also respect individual opinions––they represent the unvarnished thinking of our people and exacting analysis of our research processes. Our authors can publish views that we may or may not agree with, but they show their work, distinguish facts from opinions, and make sure their analysis is clear and in no way misleading or deceptive.

To further protect the integrity of our editorial content, we keep a strict separation between our sales teams and authors to remove any pressure or influence on our analyses and research.

Read our editorial policy to learn more about our process.