Microsoft says a group of cyberattackers tied to China hit its Exchange email servers
Mar 3, 2021, 6:14 AM | Updated: 6:15 am
NEW YORK, NY - MAY 2: The Microsoft logo is illuminated on a wall during a Microsoft launch event to introduce the new Microsoft Surface laptop and Windows 10 S operating system, May 2, 2017 in New York City. The Windows 10 S operating system is geared toward the education market and is Microsoft's answer to Google's Chrome OS. (Photo by Drew Angerer/Getty Images)
(Photo by Drew Angerer/Getty Images)
(CNN) — Microsoft says that a sophisticated group of hackers linked to China has exploited its popular email service that allowed them to gain access to computers.
In a blog post Tuesday, the company said that four vulnerabilities in its software allowed hackers to access servers for Microsoft Exchange, “which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments.” The firm added that the online platform for Exchange, the cloud-based version of the service, was not affected.
Microsoft is now urging users to download software patches, or fixes, for the four different vulnerabilities that were found.
The company said that it believes the attacks were carried out by Hafnium, “a group assessed to be state-sponsored and operating out of China.” It did not offer evidence supporting the assessment, but said the “state-sponsored” actor was identified by the Microsoft Threat Intelligence Center based on observed “tactics and procedures.”
“We are sharing this information with our customers and the security community to emphasize the critical nature of these vulnerabilities and the importance of patching all affected systems immediately,” it said.
“This blog also continues our mission to shine a light on malicious actors and elevate awareness of the sophisticated tactics and techniques used to target our customers.”
Hafnium is a network of hackers that “primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and [non-government organizations],” according to Microsoft.
Though the group is believed to be based in China, it usually strikes using virtual private servers based in the United States, the company said.
Asked about the Microsoft blog post, a spokesperson for China’s Ministry of Foreign Affairs said that the country “firmly opposes and fights all forms of cyber-attacks and thefts in accordance with the law.”
“Connecting cyberattacks directly to the government is a highly sensitive political issue,” Wang Wenbin told reporters at a regular press briefing. “China hopes that relevant media and companies will adopt a professional and responsible attitude. When characterizing cyber incidents, it should be based on sufficient evidence, rather than unprovoked guesses.”
“Exchange Server is primarily used by business customers, and we have no evidence that Hafnium’s activities targeted individual consumers or that these exploits impact other Microsoft products,” Tom Burt, Microsoft’s corporate vice president, customer security and trust, added in a separate blog post.
This isn’t Microsoft’s first tangle with Hafnium. The tech giant has previously — on separate, unrelated occasions — observed the group “interacting with victim” users of Office 365, it said.
But “this is the first time we’re discussing its activity,” wrote Burt.
“While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets’ environments,” the company said.
— CNN’s Beijing bureau contributed to this report.
The-CNN-Wire
™ & © 2021 Cable News Network, Inc., a WarnerMedia Company. All rights reserved.
