It was first Solarwinds, a Russian hacking campaign that dates back almost a year and has brought down at least nine US government agencies and countless private companies. Now it’s Hafnium, a Chinese group that attacks a vulnerability in Microsoft Exchange Server to sneak into victims’ inboxes and beyond. The collective results of these spying sprees are still being discovered. This may never be fully known.
Countries spy on each other, everywhere, all the time. They always have. But the scale and sophistication of Russia’s and China’s latest efforts still comes as a shock. And the short-term fallout from both underscores how difficult it can be to take full measure of a campaign even after you’ve sniffed it out.
By now you are probably familiar with the Solarwinds attack basics: Real Russian hackers broke into the IT management company’s networks and changed versions of its Orion network monitoring tool, exposing up to 18,000 organizations. The actual number of Solarwinds casualties is assumed to be much smaller, although security analysts have tied him in at least the low hundreds so far. And as Solarwinds CEO Sudhakar Ramakrishna avidly did highlighted for all who will listen, it wasn’t the only software supply chain company the Russians hacked into this campaign, implying a much larger ecosystem of victims than anyone has yet depicted.
“It has become clear that there is much more to learn about this incident, its causes, scope, scale and where we are going from here,” said Senate Intelligence Committee Chairman Mark Warner (D-VA), during a hearing on Solarwinds. hack last week. Brandon Wales, Acting Director of the US Cybersecurity and Infrastructure Agency, estimated in a meeting with MIT Technology Review this week, it could take up to 18 months for U.S. government systems to recover from the hacking frenzy on their own, let alone the private sector.
This lack of clarity is twofold for the Chinese hacking campaign that Microsoft unveiled on Tuesday. First spotted by security firm Volexity, a nation-state group Microsoft calls Hafnium uses several zero-day exploits—Which attacks previously unknown software vulnerabilities — to break into Exchange servers, which run email clients, including Outlook. There they could surreptitiously read the email accounts of high-value targets.
“You wouldn’t blame anyone for missing this,” says Steven Adair, founder of Veloxity, who says the activity they observed began on January 6 of this year. “They are very focused and don’t do much to raise the alarm bells.”
Over the past weekend, however, Veloxity saw a marked change in behavior, as hackers began to use their Exchange Server starting point to aggressively burrow deeper into victim networks. “It was really serious before; a person with unlimited access to your email at will is in a sense the worst case scenario, ”says Adair. “Being able to also break down your network and write files takes it up a notch in terms of what someone can achieve and how difficult it is to clean up.”
Neither Solarwinds nor Hafnium’s attacks have stopped, which means the very concept of cleaning up, at least as a whole, remains a distant dream. It’s like trying to mop up an actively spouting tanker. “It is evident that these attacks are still ongoing and that threat actors are actively scanning the internet in ‘spray and pray’ fashion, targeting anything that appears vulnerable,” says John Hammond, senior detection security researcher. threats. the Huntress firm, on the Hafnium campaign.
Microsoft released patches which will protect anyone using Exchange Server from aggression. But it’s only a matter of time before other hackers reverse engineer the fix to figure out how to exploit the vulnerabilities themselves; you can expect ransomware and cryptojacking groups to get into the action in a hurry.