The Department of Homeland Security’s cybersecurity division on Wednesday ordered federal civilian agencies to address flaws in a popular email software program at the center of a suspected Chinese spying campaign.
The “emergency directive” from DHS’s Cybersecurity and Infrastructure Security Agency requires agencies to either apply security fixes for the vulnerabilities in the Microsoft Exchange Server software, or, if a compromise is found, to disconnect the program until it can be securely reconfigured.
The CISA order comes a day after Microsoft revealed that China-based hackers were using the previously unknown software bugs to steal data from select targets. The hacking group, called Hafnium, has previously tried to breach U.S.-based infectious disease researchers, defense contractors and educational institutions, Microsoft said.
The suspected Chinese hackers used one of the vulnerabilities to “steal the full contents of several user mailboxes,” according to Volexity, a cybersecurity firm that investigated the breaches.
Exchange Server is used in the federal government, and the email correspondence of U.S. officials is coveted material for foreign spies.
It’s unclear if any federal agencies have been breached in the campaign, but the CISA directive underscores the urgency of the threat. CISA cited the “likelihood of widespread exploitation of the vulnerabilities after public disclosure and the risk that federal government services to the American public could be degraded.”
There were signs on Wednesday that additional exploitation of the vulnerabilities was well underway. Jon Hencinski, an executive at security firm Expel, said he had seen “automated exploitation of Internet-facing Exchange servers” using one of the vulnerabilities.
Agencies have until Friday to report back to CISA on their level of exposure.
CISA has only issued a handful of emergency directives in its two-year existence, but the agency has increasingly employed the authority in the face of critical bugs in software used by the federal government. CISA in September ordered agencies to address a critical vulnerability in a Microsoft protocol that hackers could use to steal sensitive data.