March 11, 2021 | Policy Brief

Microsoft and CISA Warn of Chinese State Hackers Targeting Windows Exchange Servers

March 11, 2021 | Policy Brief

Microsoft and CISA Warn of Chinese State Hackers Targeting Windows Exchange Servers

Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA) issued alerts last week warning that Chinese state-sponsored hackers had leveraged previously undiscovered vulnerabilities to harvest email username and password credentials. The revelation represents an early test of the Biden administration’s strategy to “deter Chinese aggression and counter threats to our collective security, prosperity, and democratic way of life.”

The alerts identify several vulnerabilities present in the Windows Exchange Server platform, including Microsoft’s email and calendar line of products. By leveraging these vulnerabilities, a Chinese state-sponsored hacking group, which Microsoft has labeled “Hafnium,” was able to harvest email usernames and passwords from victim servers.

Microsoft’s security blog post noted that after harvesting credentials, Hafnium would be able to exploit that access to install additional malware and establish a foothold in victim networks to launch additional operations. Over the weekend, media reporting revealed that Hafnium had already used this vulnerability to compromise tens of thousands of Microsoft Exchange servers around the world.

Hafnium’s target list indicates the group is likely focused on espionage. The group has historically exfiltrated information from defense contractors, policy think tanks and nongovernmental organizations, higher education institutions, law firms, and infectious disease research organizations, according to Microsoft’s Threat Intelligence Center.

The cybersecurity firms FireEye and Volexity first detected exploitation of the vulnerability in January 2021. Like the malware used in the SolarWinds breach, FireEye reported that before proceeding, Hafnium hackers issued commands to the infected server to check for several popular cybersecurity products that might detect their malicious activity. This step indicates a level of sophistication to scan the environment to ensure that the target does not have the necessary security controls that would tip off the victim’s security analysts before the hackers could carry out the rest of the attack.

The hackers in the SolarWinds breach took this evasion one step further by also obfuscating their codes to appear like normal network traffic, whereas the Hafnium hackers appeared to be more interested in quickly establishing a secondary backdoor to maintain persistent access even if their initial intrusion was detected.

In response to Microsoft’s warning, CISA issued an emergency directive and an alert. The alert mandates that the chief information officers of all federal agencies identify all Microsoft Exchange Servers in their respective network environments and update the servers with Microsoft’s security patch. The directive, however, goes a step further. Because the hackers’ goal was to establish persistent access, the directive requires agencies to hunt for anomalous behavior or other indicators of compromise on their servers, respond to any threats posed by those servers, and report all findings back to CISA.

Despite the technical solution, this latest breach poses another challenge for the Biden administration. Even while Washington is still scoping the extent and severity of the SolarWinds breach, the Hafnium breach requires the Biden administration to send a resolute message that it will hold both Russia and China to account for their actions in cyberspace.

Trevor Logan is a cyber research analyst at the Foundation for Defense of Democracies (FDD), where he also contributes to FDD’s Center on Cyber and Technology Innovation (CCTI) and China Program. For more analysis from Trevor and CCTI, please subscribe HERE. Follow Trevor on Twitter @TrevorLoganFDD. Follow FDD on Twitter @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.


China Cyber