China-Linked Hack Hits Tens of Thousands of U.S. Microsoft Customers

China-Linked Hack Hits Tens of Thousands of U.S. Microsoft Customers

Read more at the Wall Street Journal

A cyberattack on Microsoft Corp.’s MSFT 2.15% Exchange email software is believed to have infected tens of thousands of businesses, government offices and schools in the U.S., according to people briefed on the matter.

Many of those victims of the attack, which Microsoft has said was carried out by a network of suspected Chinese hackers, appear to be small businesses and state and local governments. Estimates of total world-wide victims were approximate and ranged broadly as of Friday. Tens of thousands of customers appear to have been affected, but that number could be larger, the people said. It could be higher than 250,000, one person said.

While many of those affected likely hold little intelligence value due to the targets of the attack, it is likely to have netted high-value espionage targets as well, one of the people said.

The hackers have been exploiting a series of four flaws in Microsoft’s Exchange software to break into email accounts and read messages without authorization, and to install unauthorized software, the company said. Those flaws are known as zero days among cybersecurity professionals because they relied on previously undisclosed software bugs, suggesting a high degree of sophistication by the hackers.

“It was being used in a really stealthy manner to not raise any alarm bells,” said Steven Adair, founder of the cybersecurity company Volexity Inc., one of the firms that Microsoft credited with reporting the issue.

Microsoft publicized the attack Tuesday and identified the culprits as a Chinese cyberespionage group that it dubbed Hafnium. The company provided a software patch to users to fix the bugs.

A few days before that happened, however, the hackers changed tactics. They abandoned stealth and began using automated software to scan the internet for vulnerable servers and infect them, Mr. Adair said. “The attackers cranked up a huge notch over this past weekend,” he said. “They’re just hitting every Exchange server they can find on the internet.”