Hackers from the China-based government have taken advantage of a bug in Microsoft’s email server software to attack American organizations, the company said on Tuesday.
He said a “highly skilled and sophisticated” state-sponsored group operating out of China has been trying to steal information from various US targets, including universities, defense contractors, law firms and infectious disease researchers.
Microsoft said it has released security updates to correct vulnerabilities in its Exchange Server software, which is used for work email and calendar services, primarily for larger organizations that have their own in-person email servers. It does not affect personal email accounts or Microsoft cloud-based services.
The company said the hacking group Hafnium calls was able to trick the Exchange servers into allowing it to gain access. The hackers then posed as someone who should have access and created a way to remotely control the server so that they could steal data from an organization’s network.
Microsoft said the group is based in China but operates from rented virtual private servers in the United States, helping it avoid detection.
The company declined to name specific goals or say how many organizations were affected.
Reston, Virginia-based cybersecurity firm Volexity, which Microsoft credits with helping detect the intrusions, said its network security monitoring service began detecting a suspiciously large data transfer in late January.
“They’re just downloading email, literally going into town,” said Steven Adair, president of Volexity, who said the targets include “defense contractors, international aid and development organizations, the NGO think tank community.”
Adair said he is concerned that hackers will speed up their activity in the coming days before organizations can install Microsoft security updates.
“As bad as it is right now, I think it’s going to get a lot worse,” he said. “This gives them a limited amount of opportunity to exploit something. The patch won’t fix that if they left their back door behind. “