Microsoft admitted this week that its Exchange service was hacked by a Chinese group. The problem would have affected at least 30,000 companies in the United States alone, including banks, police departments, hospitals and non-profit organizations.
Exchange is a corporate email platform that runs on Microsoft Servers, the company’s server network. The giant was aware of the security breach and even released a patch, but the attack occurred before everyone updated the software.
According to the technology giant, the group responsible for the crime calls itself “Hafnium”. In addition to the American victims, the extent of the attack was global, with the number of those affected reaching more than millions.
Despite the large scale, Hafnium is primarily targeting entities in the United States, according to Microsoft itself. Cybercriminals aim to “extract information from various sectors of the industry, including infectious disease researchers, law firms, higher education institutions, defense companies, policy think tanks and NGOs”.
National Security Matters
The United States government considered the event so serious that it called a press conference last Friday (5). White House press secretary Jen Psaki has warned companies using Exchange to implement the new security patch as soon as possible.
“We are concerned about the large number of victims and we are working with our partners to understand the scope of all of this,” said the secretary.
Chris Krebs, a former director of the Cybersecurity and Infrastructure Agency, argued that everyone using the service should “make a commitment” to take steps to remove access to hackers.
Microsoft, which said it was contributing to the investigation and investing in security to decrease the size of the attack, explained that Hafnium used “exploits”, which are sets of malware.
One of the ways to identify the responsible group was precisely the type of exploit used, which was already known. They carried out cybercrime in three stages. At first, they stole passwords from Exchange users using vulnerabilities that were unknown.
Then, they created the so-called “web shell”, which creates a malicious script. From the web shell, they were able to control the server remotely. Finally, they used access to steal data from companies, organizations and public bodies.
“It is huge. Absolutely huge, ”reported a former US National Security officer about the attack on the Wired website. “We are talking about thousands of servers compromised per hour,” said the source.
At the end of last year, Microsoft had already suffered a major hacker attack. At the time, the shares were attributed to Russian hackers.