On the heels of the massive SolarWinds breach, which you can read about here, reports started circulating on March 2 that 250,000 organizations’ on-premises Microsoft Exchange servers, including 30,000 organizations in the U.S., were the target of a cyberattack linked to Hafnium, a suspected China state-sponsored actor (CNN.com). Cloud-based Exchange Online and Microsoft 365 products were reportedly not affected by this hack. Brian Krebs, on his website, Krebs on Security, was one of the first to write about the hack. The White House and other government agencies are now investigating the attack, which China has denounced, stating through its Ministry of Foreign Affairs that China “firmly opposes and fights all forms of cyber-attacks and thefts in accordance with the law” (CNN.com).

Victims, as identified by Microsoft and the US government agencies, include, “state and local governments, policy think tanks, academic institutions, infectious disease researchers and businesses such as law firms and defense contractors.” (CNN.com).

With this attack, the hackers could access emails, address books, and user account databases. Along with this access, they could also potentially install malware that would give them long-term access to the victim’s files, credentials, or inboxes (CNN.com).

Microsoft has been working to help users, including issuing emergency security updates as well as a tool that could help customers detect malicious activity. Although the attack was just reported on March 2, it is suggested that users look back to September 2020 for any sign of malicious activity.

If you need help analyzing your on-premises Exchange environment, we can help.  Our team of experts can assess your Exchange environment for signs of the incident and, if evidence is found, we can further investigate what may have been compromised and help remediate the event. Contact us at 412-325-4033 or info@bit-x-bit.com.