A Chinese government-backed hacking group has been using previously unknown software exploits in “limited and targeted” data-stealing attacks on organizations that use a popular email software program, Microsoft warned Tuesday.
The culprit, Microsoft said, is a group of China-based hackers dubbed Hafnium that the technology giant is discussing publicly for the first time. Hafnium has previously tried to hack U.S.-based infectious disease researchers, defense contractors and educational institutions. Microsoft said the group’s latest campaign has gone after similar targets.
The attackers have exploited multiple so-called “zero day” bugs in the Microsoft Exchange Server software in an apparent espionage campaign, Microsoft said. Zero day flaws are so-named because security staffers were likely unaware of the issue, and thus have had zero days to create a fix. Breaking into Exchange Server could offer the attackers access to any sensitive communications that a business has conducted by email.
“We strongly encourage all Exchange Server customers to apply these updates immediately,” Microsoft vice president Tom Burt said in a statement. “Exchange Server is primarily used by business customers, and we have no evidence that Hafnium’s activities targeted individual consumers or that these exploits impact other Microsoft products.”
The security implications of the disclosure go well beyond the targeted victim organizations. Microsoft’s announcement allows other organizations to apply fixes for the software flaws, but could also set off a race among other state-sponsored actors or criminal groups to exploit unpatched systems.
After accessing the Exchange software, the attackers planted malicious code to facilitate long-term access to victim machines, according to Microsoft. And as Russian hackers have previously done, the suspected Chinese attackers used U.S. computing infrastructure, including virtual private servers, to cloak their operations.
The suspected Chinese hackers used one of the vulnerabilities to “steal the full contents of several user mailboxes,” according to Volexity, a cybersecurity firm that investigated the breaches.
That particular bug in Exchange “is remotely exploitable and does not require authentication of any kind, nor does it require any special knowledge or access to a target environment,” Volexity said in a blog post Tuesday. “The attacker only needs to know the server running Exchange and the account from which they want to extract e-mail.”
The announcement is a reminder that, as the Biden administration prepares to confront Russia over the espionage campaign involving software built by the U.S. contractor SolarWinds, China’s cyber capabilities also pose a formidable challenge.
Despite a series of U.S. Justice Department indictments of alleged China-backed hackers over several years, evidence of Beijing’s hacking operations continues to surface. The Chinese government routinely rejects allegations that it conducts cyberattacks.
Tuesday’s announcement is part of a Microsoft strategy to regularly out state-sponsored hacking campaigns in hopes of protecting its customers and other software vendors.