More than 20,000 US organizations have been compromised by a back door installed by recently repaired defects in Microsoft’s e-mail software, a person familiar with the US government’s response said on Friday.
The hacking has already reached more places than all the contaminated code downloaded from SolarWinds Corp, the company at the center of another massive hacking hack discovered in December.
The latest hack has left remote access channels widespread among credit unions, city governments and small businesses, according to data from the US investigation.
Tens of thousands of organizations in Asia and Europe are also affected, records show.
The hacking continues despite emergency patches issued by Microsoft on Tuesday.
Microsoft, which initially said the hacks consisted of “limited and targeted attacks,” declined to comment on the extent of the problem on Friday, but said it was working with government agencies and security companies to help customers.
He added that “affected customers should contact our support teams for additional help and resources”.
A scan of connected devices showed that only 10% of the vulnerable installed the patches by Friday, although the number was growing.
Because the installation of the patch does not escape the back doors, US officials are competing to find out how to report all the victims and guide them in the hunt.
Everyone affected seems to be running web versions of the Outlook email client and hosting them on their own machines, instead of relying on cloud providers. This could have spared many of the largest companies and federal government agencies, records suggest.
The Federal Cyber Security and Infrastructure Agency did not respond to a request for comment.
Earlier on Friday, White House press secretary Jen Psaki told reporters that the vulnerabilities found on Microsoft’s widely used Exchange servers were “significant” and “could have far-reaching impacts.”
“We are concerned that there are a large number of victims,” Psaki said.
Microsoft and the person working with the US response blamed the initial wave of attacks on an actor supported by the Chinese government. A Chinese government spokesman said the country was not behind the intrusions.
What began as a controlled attack late last year against several classic espionage targets rose last month to a large-scale campaign. Security officials said that if China did not change tactics, a second group could be involved.
More attacks are expected from other hackers as the code used to take control of email servers spreads.
Hackers used the back doors only to enter and move around infected networks in a small percentage of cases, probably less than 1 in 10, said the person working with the government.
“Several hundred boys exploit them as fast as they can,” stealing data and installing other ways to return later, he said.
The initial route of the attack was discovered by prominent Taiwanese cyber researcher Cheng-Da Tsai, who said he reported the defect to Microsoft in January. He said in a blog post that he is investigating whether the information was leaked.
He did not respond to requests for further comment.