Cybersecurity group FireEye announced Thursday night that it had found evidence that hackers had exploited a flaw in a popular Microsoft email app since January to target groups in various sectors.
FireEye analysts wrote in a blog post that the company had observed hackers (which Microsoft announced earlier this week that they were a Chinese-sponsored piracy group known as “Hafnium”), which exploited the vulnerabilities in the Microsoft Exchange Server email program to target at least one FireEye client as of January.
Since then, FireEye has found evidence that hackers have gone after a number of victims, including “U.S.-based retailers, local governments, a university and an engineering company, ”along with a Southeast Asian government and a Central Asian telecommunications company.
The news comes two days after Microsoft said the Chinese piracy group was actively exploiting unknown security flaws in Exchange Server to go find groups running the program.
Microsoft noted that Hafnium was previously known to steal information from organizations such as infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and non-governmental organizations.
FireEye analysts wrote Thursday night that “the activity reported by Microsoft is in line with our observations.”
“The activity we have observed, along with others in the information security industry, indicates that these threatening actors are likely to be using Exchange Server vulnerabilities to establish themselves in environments,” analysts wrote. “This activity is quickly followed by additional access and persistent mechanisms. As stated above, we have multiple ongoing cases and will continue to provide information as we respond to intrusions.”
The federal government may also have been affected by the email application vulnerability, which Microsoft issued a patch earlier this week.
The Security and Cybersecurity Agency (CISA) issued a emergency directive which requires federal agencies to investigate for signs of compromise and, if a compromise has occurred, to correct or disconnect from the Exchange Server program.
Jake Sullivan
Jake Sullivan Does a Biden Stumble upon China? Iran, hostages and déjà vu: Biden needs to do better Biden to detail the “roadmap” to partner with Canada in meeting with Trudeau MORE, President Biden
Joe Biden: The West needs a more collaborative approach with Taiwan Abbott’s medical advisors, not all of whom were consulted before he lifted the Texas mask mandate. The House approves George Floyd Justice in Policing Act MOREThe national security adviser encouraged all network owners to immediately implement the Microsoft patch Thursday night.
“We’re closely tracking Microsoft’s emergency patch for hitherto unknown vulnerabilities in Exchange Server software and reports of possible compromises from think tanks and U.S.-based defense industries,” Sullivan said. he tweeted.
Former CISA director Christopher Krebs also stressed the potential severity of the gap, piulant Thursday night that “this is the real deal” and encouraging organizations running Exchange Server to enter “incident response mode.”
The newly discovered compromise comes when the federal government is still investigating a massive Russian cyberespionage attack that was ongoing for at least a year before the discovery.
The breach, known as the SolarWinds hack, involved hackers exploiting the software of the SolarWinds IT group to target up to 18,000 of its customers. As of last month, at least nine federal agencies and 100 private sector groups had been engaged.
Both FireEye and Microsoft were among the groups involved as part of the piracy operation, with FireEye widely credited for drawing attention to the incident by appearing publicly in December following its rape.