In March, tens of thousands of organisations around the world discovered their private internal discussions had been cracked open and lain bare by a group of Chinese hackers.
Four previously undiscovered weaknesses in Microsoft’s Exchange software, known as “zero days” because of the amount of time the company had had to fix the flaws before they were exploited, lay behind the mass hack. The vulnerabilities, which affected software released from 2012 onwards, allowed the group to take permanent control of the corporate servers, siphoning emails, calendars, and anything else they desired.
Even fully updated systems were vulnerable, until Microsoft released emergency updates to fix the holes on 2 March, just three days before the hacking campaign was publicly disclosed by security journalist Brian Krebs.
The mass hack started on 28 February, with thousands of companies falling victim every hour before it was even possible for them to defend against it. Many more were hit in the days following Microsoft’s deployment of an emergency fix, since companies are often wary about installing security updates the same day they are published in case critical functionality breaks.
The campaign was quickly identified as a potential espionage mission, due to the nature of the information at risk: Microsoft’s Exchange software handles all communications at companies that use it, allowing attackers to potentially seize usernames and passwords, confidential information, intellectual property, blackmail material and more.
Initially, the attack was attributed to a group known as “Hafnium”, thought by security researchers to be affiliated with the Chinese state. But that early attribution was not sufficient for the UK and its allies to publicly state that the Chinese government lay behind the attack. After months of investigation, the UK’s National Cyber Security Centre has now declared it “highly likely that Hafnium is associated with the Chinese state.”
The attribution makes the attack the most consequential attributed to China since 2015’s attack on the US Office of Personnel Management, which saw 22m HR records relating to government workers, including details about background checks, exfiltrated by hackers.
So serious was this latest breach that the FBI took the unprecedented decision to deliberately seek out, hack into, and remove the malware from “hundreds” of servers that the agency had been unable to secure in the conventional manner. That operation, approved by a federal court, removed the malicious software placed by the hackers, but stopped short of fixing the vulnerability entirely.
The FBI said it was attempting to notify the owners of the computers it had broken into, by sending them an email from an official FBI account, or contacting their internet service providers.