Chinese cyberattackers preyed on Microsoft Exchange Server vulnerabilities to swipe information from a wide array of U.S. entities, according to Microsoft. Cybersecurity researchers at Volexity that assisted Microsoft assessed that the attacks began “as early as January 6, 2021,” the same day of the riot at the U.S. Capitol.
Microsoft attributed the malicious cyber campaign to a group it calls HAFNIUM, which Microsoft corporate vice president Tom Burt labeled a state-sponsored group operating from China. Mr. Burt wrote on the company’s blog that Microsoft has not previously discussed HAFNIUM and it believes the China-based group conducts its operations from leased virtual private servers inside the U.S.
“The attacks included three steps. First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access,” wrote Mr. Burt on Microsoft’s blog. “Second, it would create what’s called a web shell to control the compromised server remotely. Third, it would use that remote access—run from the U.S.-based private servers—to steal data from an organization’s network.”
The primary targets and victims of HAFNIUM’s attack in the U.S. included infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and nongovernmental organizations, according to Microsoft.
Microsoft’s threat-intelligence and security workers partnered with cybersecurity researchers at Volexity and Dubex, who they thanked in a blog post for assisting in the discovery of components of HAFNIUM’s attack chain.
Volexity said on its website on Tuesday that it detected anomalous activity on two of its customers’ Microsoft Exchange Servers in January 2021.
“These attackers are conducting novel attacks to bypass authentication, including two-factor authentication, allowing them to access e-mail accounts of interest within targeted organizations and remotely execute code on vulnerable Microsoft Exchange servers,” wrote Volexity’s Josh Grunzweig, Matthew Meltzer, Sean Koessel, Steven Adair, and Thomas Lancaster. “Due to the ongoing observed exploitation of the discussed vulnerabilities, Volexity urges organizations to immediately apply the available patches or temporarily disabling external access to Microsoft Exchange until a patch can be applied.”