Cybersecurity group FireEye announced Thursday night that it had found evidence that hackers had exploited a flaw in a popular Microsoft email application since January to target groups in a variety of sectors.
FireEye analysts wrote in a blog post that the company had observed hackers, which Microsoft announced earlier this week that they were a Chinese state sponsored group of hackers known as “Hafnium”, exploiting vulnerabilities in the Microsoft’s Exchange Server email program to attack at least one FireEye client. as of January.
Since then, FireEye found evidence that hackers had gone after a number of victims, including “US-based retailers, local governments, a university, and an engineering company, ”along with a government from Southeast Asia and a telecommunications company from Central Asia.
The news comes two days after Microsoft said the Chinese hacking group was actively exploiting previously unknown security flaws in Exchange Server to go after groups running the program.
Microsoft noted that Hafnium was previously known to steal information from organizations that included infectious disease researchers, law firms, institutions of higher education, defense contractors, policy think tanks, and nongovernmental organizations.
FireEye analysts wrote Thursday night that “Microsoft’s reported activity aligns with our observations.”
“The activity we have observed, along with others in the information security industry, indicates that these threat actors are likely using Exchange Server vulnerabilities to entrench themselves in environments,” the analysts wrote. “This activity is quickly followed by additional access and persistent mechanisms. As stated above, we have several ongoing cases and will continue to provide information as we respond to the intrusions. “
The federal government may have also been affected by the email app vulnerability, for which Microsoft issued a patch earlier this week.
The Infrastructure and Cybersecurity Security Agency (CISA) issued a emergency directive require federal agencies to investigate for signs of compromise and to patch or shut down the Exchange Server program if a compromise has occurred.
Jake sullivanJake Sullivan Biden’s stumble with China? Iran, hostages and déjà vu – Biden needs to upgrade Biden to detail ‘roadmap’ for partnership with Canada at Trudeau meeting MORE, President BidenJoe Biden: The West Needs a More Collaborative Approach to Taiwan Not all of Abbott’s medical advisers were consulted before it lifted the Texas mask mandate.The national security adviser encouraged all network owners to immediately implement Microsoft’s patch on Thursday night.
“We are closely monitoring Microsoft’s emergency patch to detect previously unknown vulnerabilities in Exchange Server software and reports of potential compromises from US defense think tanks and industrial base entities,” Sullivan tweeted.
Former CISA Director Christopher Krebs also underscored the possible seriousness of the infringement, tweeting Thursday night that “this is the real deal”, and encouraging organizations running Exchange Server to go into “incident response mode.”
The newly discovered compromise comes as the federal government is still investigating a massive Russian cyber espionage attack that was ongoing for at least a year prior to the discovery.
The breach, which has become known as the SolarWinds hack, involved hackers exploiting the software of the IT group SolarWinds to target up to 18,000 of its customers. As of last month, at least nine federal agencies and 100 private sector groups had been compromised.
Both FireEye and Microsoft were among the groups compromised as part of the hacking operation, and FireEye was widely recognized for drawing attention to the incident by coming out publicly in December after it was breached.