Victims of a massive global hack of Microsoft mail server software – estimated in the tens of thousands by cybersecurity responders – scrambled Monday to shore up infected systems and try to reduce the chances that intruders could steal data or hamper their networks.
The White House called the hack an “active threat” and said senior national security officials were tackling it.
The breach was discovered in early January and attributed to Chinese cyber spies targeting US political think tanks. Then, at the end of February, five days before Microsoft released a patch on March 2, there was an explosion of infiltrations by other intruders, adding to the initial breach. Victims run the spectrum of organizations that run mail servers, from mom-and-pop retailers to law firms, city governments, healthcare providers and manufacturers.
Although hacking does not pose the most sophisticated kind of national security threat, which the Biden administration attributes to Russian intelligence operatives, it can pose an existential threat to victims who did not install the patch in time and now have hackers in their systems. Hacking poses a new challenge for the White House, which, even as it prepares to respond to the SolarWinds breach, now faces a formidable and very different threat from China.
“I would say this is a serious threat to economic security because many small businesses can literally see their businesses destroyed by a targeted ransomware attack,” said Dmitri Alperovitch, former CTO of cybersecurity firm CrowdStrike.
He blames China for the global wave of infections that began on February 26, although other researchers say it is too early to attribute them with confidence. It’s a mystery how these hackers got wind of the initial breach because no one knew except a few researchers, Alperovich said.
After the patch was released, a third wave of infections began, a build-up that typically occurs in such cases as Microsoft dominates the software market and offers a single point of attack.
Cyber security analysts trying to get a full picture of the hack said their analyzes matched the figure of 30,000 US victims released Friday by cybersecurity blogger Brian Krebs. Alperovich said about 250,000 casualties worldwide have been estimated.
Microsoft declined to say how many customers it thinks are infected.
David Kennedy, CEO of cybersecurity firm TrustedSec, said hundreds of thousands of organizations could have been vulnerable to hacking.
“Anyone who had Exchange installed was potentially vulnerable,” he said. “It’s not all but it’s a large percentage of them.”
Katie Nickels, chief intelligence officer at cybersecurity firm Red Canary, warned that installing patches would not be enough to protect those already infected. “If you correct today, it will protect you in the future, but if the opponents are already in your system, you need to deal with them,” she said.
A smaller number of organizations were targeted in the initial intrusion of hackers who entered data, stole credentials, or explored internal networks and left backdoors at universities, defense contractors , law firms and infectious disease research centers, researchers said. Among those Kennedy has worked with are manufacturers concerned about intellectual property theft, hospitals, financial institutions, and managed service providers that host multiple corporate networks.
“On a scale of one to 10, it’s a 20,” Kennedy said. “It was basically a skeleton key to open any business that had this Microsoft product installed.”
Asked for comment, the Chinese Embassy in Washington highlighted last week’s remarks by Foreign Ministry spokesman Wang Wenbin that China “firmly opposes and fights cyber attacks and cyber theft under all circumstances. “Baseless accusations”.
The hack did not affect the cloud-based Microsoft 365 messaging and collaboration systems preferred by Fortune 500 companies and other organizations that can afford quality security. This highlights what some in the industry lament as two classes of computing – security “haves” and “haves”.
Ben Read, chief analysis officer at Mandiant, said the cybersecurity company hasn’t seen anyone take advantage of the hack for financial gain, “but for the people who are affected, time is of the essence to correct this problem. ”
This is easier said than done for many victims. Many have small IT staff and cannot afford an emergency cybersecurity response – not to mention the complications of the.
Solving the problem is not as easy as clicking an update button on a computer screen. This requires upgrading an organization’s entire so-called “Active Directory”, which lists mail users and their respective privileges.
“Shutting down your mail server isn’t something you do lightly,” said Alperovitch, who chairs the nonprofit Silverado Policy Accelerator think tank.
Tony Cole of Attivo Networks said the large number of potential victims creates a perfect “smokescreen” for nation-state hackers to hide a much smaller list of intended targets by tying up already overworked cybersecurity officials. “There aren’t enough incident response teams to handle all of this.”
Many experts were surprised and puzzled at the way the groups rushed to infect server installations just before Microsoft’s patch was released. Kennedy, of TrustedSec, said it took too long for Microsoft to get a fix, although he doesn’t think he should have let people know before the fix was ready.
Steven Adair of cybersecurity firm Volexity, who alerted Microsoft to the initial intrusion, described a “massive and indiscriminate exploitation” that began the weekend before the patch was released and included groups from “many different countries. , (including) criminal actors “.
The Cybersecurity Infrastructure and Security Agency issued an urgent hacking alert on Wednesday and National Security Advisor Jake Sullivan tweeted about it the following night.
But the White House has not yet announced a specific initiative to respond to it.