Cyber security group FireEye announced Thursday night that it had found evidence that hackers had exploited a flaw in a popular Microsoft e-mail application since January to target groups in a variety of sectors.
FireEye analysts wrote in a blog post that the company noticed hackers – whom Microsoft announced earlier this week were a Chinese state-sponsored hacking group known as “Hafnium” – that exploits vulnerabilities in the program. Microsoft’s Exchange Server email to target at least one FireEye client starting in January.
Since then, FireEye has found evidence that hackers have pursued a number of victims, including “U.S. retailers, local governments, a university and an engineering firm, ”along with a Southeast Asian government and a Central Asian telecommunications company.
The news comes two days after Microsoft said the Chinese hacking group is actively exploiting previously unknown security flaws in Exchange Server to go after groups running the program.
Microsoft noted that Hafnium was previously known to steal information from organizations, including infectious disease researchers, law firms, higher education institutions, defense contractors, political think tanks and non-governmental organizations.
FireEye analysts wrote Thursday night that “Microsoft’s activity is in line with our observations.”
“The activity we have observed, along with others in the information security industry, indicates that these threats are likely to use Exchange Server vulnerabilities to establish themselves in environments,” the analysts wrote. “This activity is quickly followed by additional access and persistent mechanisms. As mentioned earlier, we have several ongoing cases and will continue to provide information as we respond to intrusions. ”
The federal government may also have been affected by the email vulnerability, for which Microsoft released a patch earlier this week.
The Cyber Security and Infrastructure Agency (CISA) issued a emergency directive requiring federal agencies to investigate signs of compromise and correct or disconnect from the Exchange Server program if a compromise has occurred.
Jake Sullivan
Jake Sullivan A Biden Stumbles on China? Iran, hostages and deja vu – Biden needs to do better Biden to detail the “roadmap” for the partnership with Canada in the meeting with Trudeau MORE, President Biden
Joe Biden The West needs a more collaborative approach to Taiwanese medical advisers Abbott, not all were consulted before he lifts his Texas Mask mandate approves George Floyd Justice in Policing Act MOREThe national security adviser encouraged all network owners to immediately implement the Microsoft patch on Thursday night.
“We closely monitor Microsoft’s emergency patches for previously unknown vulnerabilities in Exchange Server software and reports on potential trade-offs for US think tanks and core defense industries,” Sullivan said. posted on Twitter.
Former CISA Director Christopher Krebs also highlighted the serious potential for the breach, tweeting On Thursday night, “this is the real deal” and encouraging organizations running Exchange Server to enter “incident response mode.”
The newly discovered compromise comes as the federal government continues to investigate a massive Russian cyber espionage attack that was underway at least a year before the discovery.
The hacking, which became known as the SolarWinds hack, involved hackers exploiting software from the SolarWinds IT group to target up to 18,000 customers. As of last month, at least nine federal agencies and 100 private sector groups have been compromised.
Both FireEye and Microsoft were among the compromised groups as part of the hacking operation, with FireEye widely recognized for drawing attention to the incident and appearing in public in December after it was breached.