Cybersecurity group FireEye on Thursday night announced it had found evidence that hackers had exploited a flaw in a popular Microsoft email application since as early as January to target groups across a variety of sectors.
FireEye analysts wrote in a blog post that the company had observed the hackers — who Microsoft announced earlier this week were a Chinese state-sponsored hacking group known as “Hafnium” — exploiting vulnerabilities in Microsoft’s Exchange Server email program to target at least one FireEye client beginning in January.
Since then, FireEye found evidence that the hackers had gone after an array of victims, including “US-based retailers, local governments, a university, and an engineering firm,” along with a Southeast Asian government and a Central Asian telecom.
The news comes two days after Microsoft said the Chinese hacking group was actively exploiting previously unknown security flaws in Exchange Server to go after groups running the program.
Microsoft noted that Hafnium had previously been known to steal information from organizations including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and nongovernmental organizations.
FireEye analysts wrote Thursday night that “the activity reported by Microsoft aligns with our observations.”
“The activity we have observed, coupled with others in the information security industry, indicate that these threat actors are likely using Exchange Server vulnerabilities to gain a foothold into environments,” the analysts wrote. “This activity is followed quickly by additional access and persistent mechanisms. As previously stated, we have multiple ongoing cases and will continue to provide insight as we respond to intrusions.”
The federal government may have also been affected by the email application vulnerability, which Microsoft issued a patch for earlier this week.
The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive requiring federal agencies to investigate for signs of compromise and to either patch or disconnect from the Exchange Server program if a compromise had taken place.
Jake SullivanJake SullivanA Biden stumble on China? Iran, hostages and déjà vu — Biden needs to do better Biden to detail ‘roadmap’ for partnership with Canada in meeting with Trudeau MORE, President BidenJoe BidenThe West needs a more collaborative approach to Taiwan Abbott’s medical advisers were not all consulted before he lifted Texas mask mandate House approves George Floyd Justice in Policing Act MORE’s national security adviser, encouraged all network owners to immediately implement the Microsoft patch Thursday night.
“We are closely tracking Microsoft’s emergency patch for previously unknown vulnerabilities in Exchange Server software and reports of potential compromises of U.S. think tanks and defense industrial base entities,” Sullivan tweeted.
Former CISA Director Christopher Krebs also underlined the potential seriousness of the breach, tweeting Thursday night that “this is the real deal,” and encouraging organizations running Exchange…