At least 30,000 US organisations including local governments have been hacked in recent days by an “unusually aggressive” Chinese cyber-espionage campaign, according to a computer security specialist.
The campaign has exploited recently discovered flaws in Microsoft Exchange software, stealing email and infecting computer servers with tools that let attackers take control remotely, Brian Krebs said in a post at his cybersecurity news website.
“This is an active threat,” White House spokeswoman Jennifer Psaki said when asked about the situation during a press briefing on Friday.
“Everyone running these servers needs to act now to patch them. We are concerned that there are a large number of victims,” she added.
After Microsoft released patches for the vulnerabilities on Tuesday, attacks “dramatically stepped up” on servers not yet updated with security fixes, said Krebs, who cited unnamed sources familiar with the situation.
“At least 30,000 organisations across the United States – including a significant number of small businesses, towns, cities and local governments – have over the past few days been hacked by an unusually aggressive Chinese cyber espionage unit that’s focused on stealing email from victim organizations,” Krebs wrote in the post.
He reported that insiders said hackers have “seized control” of thousands of computer systems around the world using password-protected software tools slipped into systems.
Microsoft said early this week that a state-sponsored hacking group operating out of China is exploiting previously unknown security flaws in its Exchange email services to steal data from business users.
The company said the hacking group, which it has named “Hafnium,” is a “highly skilled and sophisticated actor”.
Hafnium has targeted US-based companies in the past, including infectious disease researchers, law firms, universities, defence contractors, think-tanks, and NGOs.
In a blog post on Tuesday, Microsoft executive Tom Burt said the company had released updates to fix the security flaws, which apply to on-premises versions of the software rather than cloud-based versions, and urged customers to apply them.
“We know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems,” he added at the time.
Microsoft said the group was based in China but operated through leased virtual private servers in the United States, and that it had briefed the US government.
Beijing has previously hit back at US accusations of state-sponsored cyber-theft. Last year, it accused Washington of smears following allegations that Chinese hackers were attempting to steal coronavirus research.
In January, US intelligence and law enforcement agencies said Russia was probably behind the massive SolarWinds hack that shook the government and corporate security, contradicting then-President Donald Trump, who had suggested China could be to blame.
Microsoft said Tuesday the Hafnium attacks “were in no way connected to the separate SolarWinds-related attacks”.
According to reports, more attacks are expected from other hackers.
The hackers have only used the back doors to re-enter and move around the infected networks in a small percentage of cases, probably less than one in 10, the person working with the government said.
“A couple hundred guys are exploiting them as fast as they can,” stealing data and installing other ways to return later, he said.
The initial avenue of attack was discovered by prominent Taiwanese cyber-researcher Cheng-Da Tsai, who said he reported the flaw to Microsoft in January. He said in a blog post that he was investigating whether the information leaked.
He did not respond to requests for further comment.