At first, Chinese hackers waged a cautious campaign. For two months, they exploited weaknesses in Microsoft Exchange mail servers, picked their targets carefully, and stealthily stole entire mailboxes. When investigators finally figured it out, it looked like typical online espionage, but then things sped up dramatically.
Around February 26, the narrow operation turned into something much bigger and much more chaotic. A few days later, Microsoft publicly disclosed the hacks – the hackers are now known as Hafnium – and released a security patch. But at that time, the attackers were looking for targets all over the Internet: in addition to tens of thousands of reported victims in the United States, governments of the world announcing that they were compromised too. Today, at least 10 hacking groups, most of which are government-backed cyber espionage teams, are exploiting vulnerabilities in thousands of servers in more than 115 countries, according to to the security company ESET.
As President Joe Biden contemplates reprisals against the Russian hackers whose attack on another software company, SolarWinds, which went public in December, the Hafnium hack has become a huge free-for-all, and its consequences could be even worse. As experts sprint to fill the holes opened by Chinese hacking, officials say the U.S. government is focusing closely on what’s going on next to thousands of newly vulnerable servers – and how to respond to China.
“The doors are wide open for any bad actor who wants to do anything on your Exchange server and the rest of your network,” says Sean Koessel, vice president of Volexity, the cybersecurity company that helped uncover the hacking activity. “The best case is espionage – someone who just wants to steal your data. The worst-case scenario is the entry and deployment of ransomware across the network. “
The distinction between the two attacks is not just about the technical details, or even the country that committed them. Although 18,000 companies downloaded the compromised SolarWinds software, the number of true targets was only a fraction of that size. Hafnium, meanwhile, was much more blind.
“Both started out as spy campaigns, but the difference really lies in the way they were conducted,” says Dmitri Alperovitch, chairman of the Silverado Policy Accelerator and co-founder of security firm CrowdStrike. “The Russian SolarWinds campaign was carried out with great care, where the Russians took on the targets they held dear and closed access everywhere else, so that neither they nor anyone else could access those targets. that did not interest them.
“Compare that with the Chinese campaign,” he said.
“On February 27, they realize the patch is going to come out, and they literally scan the world to compromise everyone. They have left web shells that can now allow others to access these networks, even ransomware players. This is why it is very reckless, dangerous and to which it is necessary to react. “
The start of the Hafnium campaign was “very little known,” says Koessel.
The hack was missed by most security checks: It was only spotted when Volexity noticed strange and specific internet traffic requests from company customers who were running their own Microsoft Exchange mail servers.
A month-long investigation showed that four rare zero-day exploits were being used to steal entire mailboxes – potentially devastating for the individuals and businesses involved, but at this point there were few casualties and the damage was relatively limited. Volexity worked with Microsoft for weeks to fix the vulnerabilities, but Koessel says he saw a major change at the end of February. Not only the number of victims started to increase, but the number of hacker groups also increased.
It is not clear how several government hacking groups became aware of the Zero Day vulnerabilities before Microsoft made a public announcement. So why has the scale of exploitation exploded? Perhaps, some suggest, the hackers may have realized that their time was almost up. If they knew a patch was coming, how did they find out?
“I think it is very rare to see so many [advanced hacking] groups with access to the exploit for a vulnerability when the details are not public, ”explains Matthieu Faou, who conducts research on Exchange hacks for ESET. “There are two major possibilities,” he says. Either “the details of the vulnerabilities have been disclosed to the threat actors” or another vulnerability research team working for the threat actors “independently discovered the same set of vulnerabilities.”
Volexity watched Hafnium hide inside networks for a month and took action to kick them out before Microsoft released a fix. It could have been the trigger that made Hafnium soar. Or, suggests Alperovitch, hackers could have found another way to bring in a patch: Security teams across the industry, including Microsoft’s, regularly exchange information about vulnerabilities and patches in advance. Once Microsoft made the public announcement, even more hacker groups joined the fray.
“The day after the fixes were released, we began to see many more threatening actors massively scanning and compromising Exchange servers,” says Faou. All but one active hacking group are recognized government-backed hacking teams focused on espionage. “However, it is inevitable that more and more threat actors, including ransomware operators, will sooner or later have access to exploits,” he says.
As activity intensified, Volexity saw another change in behavior: Hackers left web shells when they entered these systems. They are simple hacking tools that allow persistent and remote access to infected machines so that the hacker can control them. They can be effective, but they’re also relatively loud and easy to spot.
Once hackers drop a shell on a machine, they can keep coming back until it’s cleaned up – even patching the vulnerabilities that were originally at fault won’t clean up the shells. But the web shell itself is barely secure and can be co-opted by other hackers – first to break into Exchange servers and steal emails, then to attack entire networks.
“It’s a door with a lock that is easy to select,” says Alperovich.
A different challenge
Piracy continues to escalate. Microsoft took the rare step on Monday to release security fixes for unsupported versions of Exchange that would normally be too old to be secure, a sign of the severity of the attack according to the company. Microsoft declined to comment.
As the White House weighs a response, the risk grows. The Biden administration is slowly dealing with the sophisticated spying of SolarWinds, but the chaos of the Hafnium hacks presents an entirely different challenge – both in solving the problem and responding to the hackers behind it.
“A message must be sent to the Chinese to say that this is unacceptable,” says Alperovich. The United States must make it clear “that we will hold them accountable for any damage resulting from criminal actors exploiting this access,” he said, “and we must push them to remove these web typos from all victims as soon as possible. . “