The White House has warned that hackers may have compromised a “large number of victims” in the US by exploiting recently disclosed vulnerabilities in Microsoft software.
Jen Psaki, White House press secretary, said on Friday that there was currently an “active threat” from hackers exploiting four flaws in Microsoft’s Exchange email application, which the tech group disclosed earlier this week. Microsoft has blamed a Chinese state-backed hacking group for the attacks.
“This is a significant vulnerability that could have far-reaching impacts,” Psaki said. “We are concerned that there are a large number of victims and are working with our partners to understand the scope.”
Brian Krebs, a cyber security researcher, claimed in a blog post on Friday that at least 30,000 organisations “including a significant number of small businesses, towns, cities and local governments” had been hacked in the past few days following Microsoft’s disclosure, citing multiple sources briefed on the matter.
On Tuesday, Microsoft published a blog post in which it said a group of hackers had launched “limited and targeted attacks” to gain access to emails. It also said the hackers had tried to go deeper into victims’ computer systems in order to lurk there unnoticed for a long period of time.
Microsoft has attributed the campaign to a group of Chinese state-sponsored hackers called Hafnium. China on Wednesday denied responsibility, according to a Reuters report. The White House did not link the campaign to any particular country.
It is unclear who has fallen victim to the attacks. Microsoft said that Hafnium has tended to target “infectious disease researchers, law firms, higher education institutions, defence contractors, policy think tanks, and NGOs” in the past.
Late on Thursday, Jake Sullivan, National Security Adviser, said in a tweet that the White House was “tracking . . . reports of potential compromises of US think tanks and defence industrial base entities”.
He and Psaki urged the government, private sector companies and academic institutions to patch their systems after Microsoft issued fixes for the vulnerabilities.
The concerns come after revelations in December that a sprawling cyber espionage campaign, likely backed by Russia, had been targeting US government agencies and businesses unnoticed for at least a year.
Authorities are still struggling to understand the scope of the fallout from the SolarWinds hack, which has prompted calls for President Joe Biden to prioritise US cyber security. The Biden administration is now preparing sanctions and other executive orders in response to the hack.
James Lewis, a cyber expert at the Center for Strategic and International Studies, said it appeared that Microsoft and the US government had uncovered the Chinese attack while “poking about looking for SolarWinds”.
“This is the downside of a big hack by somebody else as it increases the chance that you’ll be found out,” Lewis said. “The Chinese should send the Russians a bill.”