The United States is not ready to attribute blame for the sophisticated hack attack against Microsoft Exchange Server to China or any other actor, but will name the culprit(s) as soon as it is possible to do so, National Security Advisor Jake Sullivan has announced.
“I’m not in a position, standing here today, to provide attribution, but I do pledge to you that we will be in a position to attribute that attack at some point in the near future. And we won’t hide the ball on that; we will come forward and say who we believe perpetrated the attack,” Sullivan said, speaking to reporters in Washington on Friday.
Sullivan said the investigation into the hack is “still ongoing”, with the government gathering information and “trying to determine the scope and scale”.
“It is significant, but the precise number of systems that have been exposed by this vulnerability and have been exploited, either by nation-state threat actors or ransomware hackers or others – that is something that we are urgently working with the private sector to determine,” the official said, indicating that a “robust, whole-of-government response” had been mobilised to respond, although “ultimately, a lot of this comes down to the private sector taking the steps that they need to take to remediate”.
The Biden administration set up an inter-agency cybersecurity coordination group focused on the hack, with government agencies said to be investigating whether any of their systems have been compromised.
Microsoft Blames China
Microsoft accused China of orchestrating the hack attack last week, alleging that a “state-sponsored threat actor” referred to as “Hafnium” had taken advantage of multiple security vulnerabilities in Microsoft’s email service software to steal data, plant malware and even compromise the servers running Exchange starting in January.
Chinese Foreign Ministry spokesman Wang Wenbin dismissed Microsoft’s claims, saying Beijing “firmly opposes and combats cyber attacks and cyber theft in all forms,” and warning that blaming any nation without providing evidence is a “highly sensitive political issue”.
Did Microsoft Set Itself Up to Be Hacked?
The Microsoft hacking story took an intriguing turn on Friday, with the Wall Street Journal reporting, citing people said to be familiar with the matter, that the breach may have been made possible due to a leak of sensitive data by the software giant’s security partners. According to sources, investigators are examining whether the tools used by hackers to exploit security vulnerabilities could have been accidentally or purposely leaked by one of the estimated 80 security firms involved in an information-sharing programme with the company, with the partnership, known as the Microsoft Active Protections Program (Mapp), including ten companies which are based in China.
Investigators told the newspaper that the tools used in the second wave of the attack, which began on 28 February and was run by four separate hacking groups, “bear similarities” to “proof of concept” attack code which Microsoft itself distributed to antivirus makers and other security partners on 23 February. The company only planned to release fixes to remedy the vulnerabilities on 9 March, but the hack attacks which began in late February forced it to rush their delivery.
A Microsoft spokesperson told WSJ that the company’s security partners would “face consequences” if it became apparent that a “Mapp partner was the source of a leak”.
Information security specialists have warned that Microsoft’s efforts to patch the vulnerabilities appear to have had little impact on the prevalence of hack attacks against its systems, with ESET Research reporting that at least ten advanced persistent threat (APT) groups are besieging Exchange servers in hopes of stealing data and planting malware. Malicious web shells enabling remote access are estimated to have targeted over 5,000 email servers, ranging from government institutions and and businesses to the European Banking Authority.
On Friday, ZDNet reported that Microsoft Exchange hacks have been ‘doubling’ every two hours, with organisations in Turkey, the United States, Italy, Germany, Brazil and the Netherlands taking the brunt of the attacks.