Businesses and government agencies in the United States that use a Microsoft email service have been compromised in an aggressive hacking campaign that was probably sponsored by the Chinese government, Microsoft said.
The number of victims is estimated to be in the tens of thousands and could rise, some security experts believe, as the investigation into the breach continues. The hackers had stealthily attacked several targets in January, according to Volexity, the cybersecurity firm that discovered the hack, but escalated their efforts in recent weeks as Microsoft moved to repair the vulnerabilities exploited in the attack.
The U.S. government’s cybersecurity agency issued an emergency warning on Wednesday, amid concerns that the hacking campaign had affected a large number of targets. The warning urged federal agencies to immediately patch their systems. On Friday, the cybersecurity reporter Brian Krebs reported that the attack had hit at least 30,000 Microsoft customers.
“We’re concerned that there are a large number of victims,” the White House press secretary, Jen Psaki, said during a press briefing on Friday. The attack “could have far-reaching impacts,” she added.
Federal officials were struggling to understand how the latest hack compared with last year’s intrusion into a variety of federal agencies and corporate systems by Russian hackers in what has become known as the SolarWinds attack. In that incident, the Russian hackers planted code in an update of the SolarWinds network management software. While about 18,000 customers of the company downloaded the code, so far there is only evidence that the Russian hackers stole material from nine government agencies and roughly 100 companies.
In the hack that Microsoft has attributed to the Chinese, there are estimates that 30,000 or so customers were affected when the hackers exploited holes in Exchange, a mail and calendar server created by Microsoft. Those systems are used by a broad range of customers, from small businesses to local and state governments and some military contractors. The hackers were able to steal emails and install malware to continue surveillance of their targets, Microsoft said in a blog post, but Microsoft said it had no sense of how extensive the theft was.
The Chinese Embassy in Washington did not immediately respond to a request for comment.
The campaign was detected in January, said Steven Adair, the founder of Volexity. The hackers quietly stole emails from several targets, exploiting a bug that allowed them to access email servers without a password.
“This is what we consider really stealth,” Mr. Adair said, adding that the discovery set off a frantic investigation. “It caused us to start ripping everything apart.” Volexity reported its findings to Microsoft and the U.S. government, he added.
But in late February, the attack escalated. The hackers began weaving multiple vulnerabilities together and attacking a broader group of victims. “We knew that what we had reported and seen used very stealthily was now being combined and chained with another exploit,” Mr. Adair said. “It just kept getting worse and worse.”
The hackers targeted as many victims as they could find across the internet, hitting small businesses, local governments and large credit unions, according to one cybersecurity researcher who has studied the U.S. investigation into the hacks who is not authorized to speak publicly about the matter. The flaws used by the hackers, known as zero-days, were previously unknown to Microsoft.
“We are closely tracking Microsoft’s emergency patch for previously unknown vulnerabilities in Exchange Server software and reports of potential compromises of U.S. think tanks and defense industrial base entities,” said Jake Sullivan, the White House national security adviser.
“This is the real deal,” tweeted Christopher Krebs, the former director of the U.S. Cybersecurity and Infrastructure Agency. (Mr. Krebs is not related to the cybersecurity reporter who disclosed the number of victims.)
Mr. Krebs added that companies and organizations that use Microsoft’s Exchange program should assume that they had been hacked sometime between Feb. 26 and March 3, and work quickly to install the patches released this past week by Microsoft.
In a statement, Jeff Jones, a senior director at Microsoft, said, “We are working closely with the C.I.S.A., other government agencies and security companies to ensure we are providing the best possible guidance and mitigation for our customers.”
Microsoft said a Chinese hacking group known as Hafnium, “a group assessed to be state-sponsored and operating out of China,” was behind the hack.
Since the company disclosed the attack, other hackers not affiliated with Hafnium began to exploit the vulnerabilities to target organizations that had not patched their systems, Microsoft said. “Microsoft continues to see increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors,” the company said.
Patching these systems is not a straightforward task. Email servers are difficult to maintain, even for security professionals, and many organizations lack the expertise to host their own servers safely. For years, Microsoft been pushing these customers to move to the cloud, where Microsoft can manage security for them. Industry experts said the security incidents could encourage customers to shift to the cloud and be a financial boon for Microsoft.
Because of the broad scope of the attack, many Exchange users are probably compromised, Mr. Adair said. “Even for people who patched this as fast as humanly possible, there’s an extremely high chance that they were already compromised.”
Nicole Perlroth contributed reporting.