EXECUTIVE SUMMARY:
A targeted attack on Microsoft Exchange Servers is causing disruptions for organizations in the US and worldwide. Media mentions of the attack first appeared in early March. The US-CERT and Microsoft both directed organizations to take precautions and to install updates.
How many organizations may be affected?
According to Reuters, more than 20,000 organizations may have experienced compromise. Cyber security expert and blogger, Brian Krebs, suggests that the number may be much higher. He believes that the number is at least 30,000.
Bloomberg reports that the attack has affected over 60,000 victims. The media agency cites an anonymous former US official connected to the remediation effort.
What types of organizations represent typical targets?
Microsoft’s experts state that the Hafnium group “primarily targets entities in the United States” with the purpose of pinching information from “infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs”.
Nonetheless, cyber security vendors have observed that in this specific event, other assorted groups were also affected. These include an ice-cream company, senior-citizens communities and other enterprises.
Businesses in Norway and the Czech Republic may have also experienced incidents associated with this attack campaign.
Only a handful of organizations have actually been compromised thus far. Reports of compromise are expected to increase in coming days and weeks.
When did this Microsoft hack first begin?
The intruders first ventured into systems as early as January 5th, 2021. The threats likely emanate from a state-sponsored threat actor. Microsoft’s researchers have nicknamed this threat group Hafnium.
How has Microsoft responded?
The company released patches for the four vulnerabilities on March 2, 2021. Organizations were and are still urged to patch servers immediately.
How has CISA responded?
The US Cyber Security and Infrastructure Security Agency (CISA) has directed federal agencies to conduct forensics on their systems.
Where possible, patches are to be installed. Where not possible, CISA requests for agencies to provide additional information.
CISA also worked to apply mitigation techniques for groups that could not upgrade quickly.
“Some local officials I have talked to don’t have the IT support to check and aren’t sure what to do if they find activity,” explained Matt Masterson, a former security official at the Department of Homeland Security.
CISA stated that the mitigation techniques will not be a silver bullet. Top security officials are mulling over the next moves.
The following tweet from the National Security Council emerged on March 6th:
Image courtesy of the BBC.
Is this attack related to Solarwinds?
Microsoft reports that the attack is not connected to SolarWinds. The group responsible for this attack appears to hail from a different geographic locale than that of the SolarWinds hackers.
However, a similarity that contributed to the success of both attacks is the fact that each group appears to have launched attacks from within US borders. This helps to explain why both SolarWinds and the Microsoft hack escaped initial detection.
What are the hackers stealing, exactly?
These hackers are interested in the data contained within personal inboxes. They’re also after credentials.
Additional information about the attack has not yet been released. The US government, Microsoft and cyber security vendors are due to provide further details shortly.
In conclusion
“High levels of the [National Security Council] are working to address the incident, working with our public and private partners, and looking closely at the next steps we need to take,” said a White House official.
Stay tuned. For more on the attack that targeted Microsoft Exchange Servers, visit the BBC.
