https://www.wired.com/story/china-microsoft-exchange-server-hack-victims/ Skip to main content Open Navigation Menu To revist this article, visit My Profile, then View saved stories. Close Alert WIRED Chinese Hacking Spree Hit an 'Astronomical' Number of Victims * Backchannel * Business * Culture * Gear * Ideas * Science * Security More To revist this article, visit My Profile, then View saved stories. Close Alert Sign In Search * Backchannel * Business * Culture * Gear * Ideas * Science * Security Andy Greenberg Security 03.05.2021 06:56 PM Chinese Hacking Spree Hit an 'Astronomical' Number of Victims A single group appears to have infiltrated tens of thousands of Microsoft Exchange servers in an ongoing onslaught. * * * * To revist this article, visit My Profile, then View saved stories . microsoft buildingPhotograph: David Paul Morris/Bloomberg/Getty Images * * * * To revist this article, visit My Profile, then View saved stories . When news hit earlier this week that Chinese hackers were actively targeting Microsoft Exchange servers, the cybersecurity community warned that the zero-day vulnerabilities they were exploiting might have allowed them to hit countless organizations around the world. Now it's becoming clear just many email servers they hacked. By all appearances, the group known as Hafnium breached as many victims they could find across the global internet, leaving behind backdoors to return to later. Hafnium has now exploited zero-day vulnerabilities in Microsoft's Exchange servers' Outlook Web Access to indiscriminately compromise no fewer than tens of thousands of email servers, according to sources with knowledge of the investigation into the hacking campaign who spoke to WIRED. The intrusions, first spotted by security firm Volexity, began as early as January 6, with a noticeable uptick starting last Friday and spiking early this week. The hackers appear to have responded to Microsoft's patch, released Tuesday, by ramping up and automating their hacking campaign. One security researcher involved in the investigation who spoke to WIRED on the condition of anonymity put the number of hacked Exchange servers at more than 30,000 in the US alone, and hundreds of thousands worldwide, all apparently by the same group. Independent cybersecurity journalist Brian Krebs first reported that 30,000 figure Friday, citing sources who had briefed national security officials. "It's massive. Absolutely massive," one former national security official with knowledge of the investigation told WIRED. "We're talking thousands of servers compromised per hour, globally." "It's a ticking time bomb." Steven Adair, Volexity In a press conference Friday afternoon, White House press secretary Jen Psaki warned anyone running the affected Exchange servers to implement Microsoft's patch for the vulnerabilities immediately. "We are concerned that there are a large number of victims and are working with our partners to understand the scope of this," Psaki said in a rare instance of a White House press secretary commenting on specific cybersecurity vulnerabilities. "Network owners also need to consider whether they have already been compromised and should immediately take appropriate steps." That White House advice echoed a tweet from former Cybersecurity and Infrastructure Security Agency director Chris Krebs on Thursday night advising anyone with an exposed Exchange server to "assume compromise" and begin incident response measures to remove the hackers' access. The affected networks, which likely include those of small and medium-size organizations more than the large enterprises that tend to use cloud-based email systems, appear to have been hacked indiscriminately via automated scanning. The hackers planted a "web shell"--a remotely accessible, web-based backdoor foothold--on the Exchange servers they exploited, allowing them to perform reconnaissance on the target machines and potentially move to other computers on the network. That means only a small number of the hundreds of thousands of hacked servers around the world are likely to be actively targeted by the Chinese hackers, says Volexity founder Steven Adair. Nonetheless, any organization that doesn't take pains to remove the hackers' backdoor remains compromised, and the hackers could reenter their networks to steal data or cause mayhem until that web shell is removed. "A massive, massive number of organizations are getting that initial foothold," says Adair. "It's a ticking time bomb that can be used against them at any point in time." Though the vast majority of intrusions appear to have consisted only of those web shells, the "astronomical" scale of those global compromises is uniquely disturbing, one security researcher who participated in the investigation told WIRED. The small to medium-size organizations that were compromised include local government agencies, police, hospitals, Covid response, energy, transportation, airports, and prisons. "China just owned the world--or at least everyone with Outlook Web Access," the researcher said. "When was the last time someone was so bold as to just hit everyone?" Advertisement In fact, the last such mass intrusion campaign came to light in just December, with the revelation that Russian hackers had compromised IT management tools from Solar Winds' used by 18,000 organizations. That hacking campaign successfully breached at least half a dozen US federal agencies. The Hafnium Exchange hacking campaign now represents the second hacking campaign of that scale, just a few months later. The Chinese hackers Exchange exploitation spree appears to have begun only months ago, in contrast to the Russia's silent, year-plus SolarWinds espionage campaign. And Hafnium's victim list appears more limited to small- and medium-sized organizations, whereas the SolarWinds hit large US government agencies. But as with the Russian SolarWinds hackers, investigators have yet to identify who exactly the Hafnium hackers are--beyond Microsoft's assertion that they're state-sponsored and operate out of China--or to pin down the full extent of their motivations. "I don't understand what the strategic objective of maintaining persistence on a local government agency would be for the MSS," says the former national security official, referring to China's Ministry of State Security. "Is this a contractor or a proxy group? Is it a Chinese cybercriminal group? Is it a rogue actor in China that got out ahead of itself?" While the hacking campaign may be aimed at casting a wide net before filtering targets for espionage, the security researcher who spoke to WIRED warned that it may yet have disruptive effects. "If they push ransomware to this, we're going to have the worst day ever," he says. But unlike the SolarWinds incident, the researcher points out, the Exchange-hacking campaign was caught early--or at least early in its widespread use. As daunting as the task of cleaning up the hackers' tens of thousands of infections may be, that early detection may give victims a chance to both patch their systems and remove the hackers before they can take advantage of their foothold inside organizations. "If we had a chance to prevent a SolarWinds-scale thing that went on for months, wouldn't we want to act on it?" asks the researcher. "Now we have that chance if we act fast." --------------------------------------------------------------------- More Great WIRED Stories * The latest on tech, science, and more: Get our newsletters! * The Lion, the polygamist, and the biofuel scam * Clubhouse is booming. So is the ecosystem around it * How Google's grand plan to make its own games fell apart * Why can't I stop staring at my own face on Zoom? * Perseverance's eyes see a different Mars * WIRED Games: Get the latest tips, reviews, and more * Torn between the latest phones? Never fear--check out our iPhone buying guide and favorite Android phones [andy_green] Andy Greenberg is a senior writer for WIRED, covering security, privacy, and information freedom. He's the author of the book Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers. The book and excerpts from it published in WIRED won a Gerald Loeb Award for... Read more Senior Writer * Featured Video Former CIA Chief of Disguise Breaks Down Cold War Spy Photography During the Cold War, surveillance in Moscow was the most difficult kind of surveillance that the US had encountered around the globe. There are lots of was to collect intelligence, and cameras were former CIA Chief of Disguise Jonna Mendez's favorite. Jonna talks about all the different photography methods US spies used during the Cold War, from carrier pigeons holding tiny cameras to a variety of different spy cameras that could be hidden in pens, ties and pocketbooks. Check out Jonna Mendez's most recent book The Moscow Rules or find more information about her on her website on https:// www.themasterofdisguise.com/ Moscow Rules: https://www.amazon.com/gp/ product/1541762185/ref=dbs_a_def_rwt_hsch_vapi_tpbk_p1_i0 Archival images courtesy of the International Spy Museum (SPY) in Washington, DC, a Guinness World Record recognized nonprofit with the largest collection of spy artifacts in the world. At the Museum, you can see firsthand some of these spy gadgets: http://www.spymuseum.org/ Additional Archival Images Courtesy of: Images of Tolkachev are courtesy of a family friend, from The Billion Dollar Spy. You can find out more about the book here: https://www.davidehoffman.com/ Image of Matchbox Camera courtesy of the CIA, who does not endorse the contents of this production Interspectral: https:// www.youtube.com/channel/UCoG3unoSTVcR64o8vGb1SEQ Getty Library of Congress, Geography and Map Division TopicscybersecuritymalwarehackingChinaMicrosoft WIRED WIRED is where tomorrow is realized. It is the essential source of information and ideas that make sense of a world in constant transformation. The WIRED conversation illuminates how technology is changing every aspect of our lives--from culture to business, science to design. The breakthroughs and innovations that we uncover lead to new ways of thinking, new connections, and new industries. * * * * * * More From WIRED * Subscribe * Newsletters * FAQ * Wired Staff * Press Center Contact * Advertise * Contact Us * Customer Care * Send a tip securely to WIRED * Jobs * RSS * Site Map * Accessibility Help * Conde Nast Store * Conde Nast Spotlight * Do Not Sell My Personal Info (c) 2021 Conde Nast. All rights reserved. Use of this site constitutes acceptance of our User Agreement (updated as of 1/1/21) and Privacy Policy and Cookie Statement (updated as of 1/1/21) and Your California Privacy Rights. Wired may earn a portion of sales from products that are purchased through our site as part of our Affiliate Partnerships with retailers. The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Conde Nast. Ad Choices