By Robert McMillan and Dustin Volz
A cyberattack on Microsoft Corp.'s Outlook email software is
believed to have infected tens of thousands of businesses,
government offices and schools in the U.S., according to people
briefed on the matter.
Many of those victims of the attack, which Microsoft has said
was carried out by a network of suspected Chinese hackers, appear
to be small businesses and state and local governments. Estimates
of total world-wide victims were approximate and ranged broadly as
of Friday. Tens of thousands of customers appear to have been
affected, but that number could be larger, the people said. It
could be higher than 250,000, one person said.
While many of those affected likely hold little intelligence
value due to the targets of the attack, it is likely to have netted
high-value espionage targets as well, one of the people said.
The hackers have been exploiting a series of four flaws in
Microsoft's Exchange software to break into email accounts and read
messages without authorization, and to install unauthorized
software, the company said. Those flaws are known as zero days
among cybersecurity professionals because they relied on previously
undisclosed software bugs, suggesting a high degree of
sophistication by the hackers.
"It was being used in a really stealthy manner to not raise any
alarm bells," said Steven Adair, founder of the cybersecurity firm
Volexity Inc., one of the companies that Microsoft credited with
reporting the issue.
Microsoft publicized the attack on Tuesday and i dentified the
culprits as a Chinese cyberespionage group that it dubbed Hafnium.
The company provided a software patch to users to fix the bugs.
A few days before that happened, however, the hackers changed
tactics. They abandoned stealth and began using automated software
to scan the internet for vulnerable servers and infect them, Mr.
Adair said. "The attackers cranked up a huge notch over this past
weekend," he said. "They're just hitting every Exchange server they
can find on the internet."
A Microsoft spokesman said Friday the company was working with
government agencies and security companies on mitigating the
incident, but declined to comment on the scope of the attack. News
on the attack's scope was reported earlier by the blogger Brian
Krebs.
For years, U.S. authorities have accused China of widespread
hacking against American businesses and government agencies. China
has denied these allegations.
The attack follows an earlier suspected Russian cyberattack,
disclosed in December, on U.S. government systems and American
businesses. But that attack, which involved breaking into a
networking-software company called SolarWinds, was a surgical
strike that broke into about 100 companies and nine government
agencies. This latest incident, by contrast, was more of a shotgun
blast, infecting tens of thousands of victims or more.
Security experts familiar with the matter said among the
concerns with this latest attack is that incident response teams
are already pushed to their limits handling that earlier,
continuing problem. Microsoft has said the two attacks aren't
related.
The latest hack has prompted widespread concern within the Biden
administration, as several government officials in recent days have
sought to warn about its potential severity. The Cybersecurity and
Infrastructure Security Agency issued a rare emergency directive
this week requiring federal government agencies to immediately
patch or disconnect products running Microsoft Exchange on-premises
products. CISA held a call Friday with more than 4,000 critical
infrastructure partners in the private sector and state and local
governments encouraging them to patch their systems.
Also on Friday, White House press secretary Jen Psaki told
reporters during a press briefing that the Microsoft
vulnerabilities were of significant concern and "could have
far-reaching impacts" and result in a "large number of
victims."
In an update to its alert, posted Thursday, CISA warned that
hackers were using automated tools to scour the internet for
vulnerable Exchange servers.
The security firm Symantec has identified a "handful" of hacking
groups, all linked to China, behind these attacks, said Vikram
Thakur, a security researcher at the company. The victims have
tended to be small and medium-size organizations because many
larger ones either don't run some of the Exchange components that
include these flaws or limit access to Exchange by using security
tools such as virtual private networks, he said.
Users of Microsoft's cloud-based Office 365 product are
unaffected by the hack, the company said.
Mandiant, another security firm, said in a blog post this week
that it had witnessed multiple instances of Microsoft Exchange
Server abuse dating to January. Detected victims of the attack
include U.S.-based retailers, local governments, at least one
university and an engineering firm, Mandiant said.
--For more WSJ Technology analysis, reviews, advice and
headlines, sign up for our weekly newsletter.
Write to Robert McMillan at Robert.Mcmillan@wsj.com and Dustin
Volz at dustin.volz@wsj.com
(END) Dow Jones Newswires
March 06, 2021 00:55 ET (05:55 GMT)
Copyright (c) 2021 Dow Jones & Company, Inc.
Microsoft (NASDAQ:MSFT)
Historical Stock Chart
From Feb 2024 to Mar 2024
Microsoft (NASDAQ:MSFT)
Historical Stock Chart
From Mar 2023 to Mar 2024