FILE - In this Nov. 10, 2016, file photo, people walk past a Microsoft office in New York. China-based government hackers have exploited a bug in Microsoft’s email server software to target U.S. organizations, the company said Tuesday, March 2, 2021. (AP Photo/Swayne B. Hall, File)

FILE - In this Nov. 10, 2016, file photo, people walk past a Microsoft office in New York. China-based government hackers have exploited a bug in Microsoft’s email server software to target U.S. organizations, the company said Tuesday, March 2, 2021. (AP Photo/Swayne B. Hall, File)

Microsoft server hack has victims hustling to stop intruders

White House calls hack an ‘active threat’

BOSTON — Victims of a massive global hack of Microsoft email server software — estimated in the tens of thousands by cybersecurity responders — hustled Monday to shore up infected systems and try to diminish chances that intruders might steal data or hobble their networks.

The White House has called the hack an “active threat” and said senior national security officials were addressing it.

The breach was discovered in early January and attributed to Chinese cyber spies targeting U.S. policy think tanks. Then in late February, five days before Microsoft issued a patch on March 2, there was an explosion of infiltrations by other intruders, piggybacking on the initial breach. Victims run the spectrum of organizations that run email servers, from mom-and-pop retailers to law firms, municipal governments, healthcare providers and manufacturers.

While the hack doesn’t pose the kind of national security threat as the more sophisticated SolarWinds campaign, which the Biden administration blames on Russian intelligence officers, it can be an existential threat for victims who didn’t install the patch in time and now have hackers lingering in their systems. The hack poses a new challenge for the White House, which even as it prepares to respond to the SolarWinds breach, must now grapple with a formidable and very different threat from China.

“I would say it’s a serious economic security threat because so many small companies out there can literally have their business destroyed through a targeted ransomware attack,” said Dmitri Alperovitch, former chief technical officer of the cybersecurity firm CrowdStrike.

He blames China for the global wave of infections that began Feb. 26, though other researchers say it’s too early to confidently attribute them. It’s a mystery how those hackers got wind of the initial breach because no one knew about this except a few researchers, Alperovitch said.

After the patch was released, a third wave of infections began, a piling on that typically occurs in such cases because Microsoft dominates the software market and offers a single point of attack.

Cybersecurity analysts trying to pull together a complete picture of the hack said their analyses concur with the figure of 30,000 U.S. victims published Friday by cybersecurity blogger Brian Krebs. Alperovitch said about 250,000 global victims has been estimated.

Microsoft has declined to say how many customers it believes are infected.

David Kennedy, CEO of cybersecurity firm TrustedSec, said hundreds of thousands of organizations could have been vulnerable to the hack.

“Anybody that had Exchange installed was potentially vulnerable,” he said. “It’s not every single one but it’s a large percentage of them.”

Katie Nickels, director of intelligence at the cybersecurity firm Red Canary, warned that installing patches won’t be enough to protect those already infected. “If you patch today that is going to protect you going forward but if the adversaries are already in your system then you need to take care of that,” she said.

A smaller number of organizations were targeted in the initial intrusion by hackers who grabbed data, stole credentials or explored inside networks and left backdoors at universities, defence contractors, law firms and infectious-disease research centres, researchers said. Among those Kennedy has been working with are manufacturers worried about intellectual property theft, hospitals, financial institutions and managed service providers who host multiple company networks.

“On the scale of one to 10, this is a 20,” Kennedy said. “It was essentially a skeleton key to open up any company that had this Microsoft product installed.”

Asked for comment, the Chinese embassy in Washington pointed to remarks last week from Foreign Ministry spokesperson Wang Wenbin saying that China “firmly opposes and combats cyber attacks and cyber theft in all forms” and cautioning that attribution of cyberattacks should be based on evidence and not “groundless accusations.”

The hack did not affect the cloud-based Microsoft 365 email and collaboration systems favoured by Fortune 500 companies and other organizations that can afford quality security. That highlights what some in the industry lament as two computing classes — the security “haves” and “have-nots.”

Ben Read, director of analysis at Mandiant, said the cybersecurity firm has not seen anyone leverage the hack for financial gain, “but for folks out there who are affected time is of the essence in terms of of patching this issue.”

That is easier said than done for many victims. Many have skeleton IT staff and can’t afford an emergency cybersecurity response — not to mention the complications of the pandemic.

Fixing the problem isn’t as simple as clicking an update button on a computer screen. It requires upgrading an organization’s entire so-called “Active Directory,” which catalogues email users and their respective privileges.

“Taking down your email server is not something you do lightly,” said Alperovitch, who chairs the non-profit Silverado Policy Accelerator think-tank .

Tony Cole of Attivo Networks said the huge number of potential victims creates a perfect “smokescreen” for nation-state hackers to hide a much smaller list of intended targets by tying up already overstretched cybersecurity officials. “There’s not enough incident response teams to handle all of this.”

Many experts were surprised and perplexed at how groups rushed to infect server installations just ahead of Microsoft’s patch release. Kennedy, of TrustedSec, said it took Microsoft too long to get a patch out, though he does not think it should have notified people about it before the patch was ready.

Steven Adair of the cybersecurity firm Volexity, which alerted Microsoft to the initial intrusion, described a “mass, indiscriminate exploitation” that began the weekend before the patch was released and included groups from “many different countries, (including) criminal actors.”

The Cybersecurity Infrastructure and Security Agency issued an urgent alert on the hack last Wednesday and National Security Adviser Jake Sullivan tweeted about it Thursday evening.

But the White House has yet to announce any specific initiative for responding.

By The Associated Press


Get local stories you won't find anywhere else right to your inbox.
Sign up here

Just Posted

A health-care worker prepares a dose of the Pfizer-BioNTech COVID-19 vaccine at a clinic in Toronto on Thursday, January 7, 2021. THE CANADIAN PRESS/Nathan Denette
Alberta vaccine rollout expanding to front-line health-care workers

More than 240,000 eligible health-care workers can begin booking vaccine appointments starting… Continue reading

File photo
The Red Deer Rebels will have three new assistant coaches when the WHL regular season starts on Friday. Brad Flynn (left), will be on the bench alongside fellow assistant Ryan Colville (right) head coach Brent Sutter (middle). (Photo by BYRON HACKETT/Advocate Staff)
Sutter steps down as Red Deer Rebels head coach

Red Deer Rebels Owner, GM and head coach Brent Sutter has stepped… Continue reading

Premier Jason Kenney announced $200 million more money that will benefit seniors living in continuing care on Wednesday. (photography by Chris Schwarz/Government of Alberta)
Alberta’s in-school rapid screening test program expanding

Alberta’s in-school rapid screening test program will expand to as many as… Continue reading

Parents and students learned Tuesday what the coming school year will look like. It's pretty much back to business as usual, said Education Minister Adriana LaGrange. School precautions include frequent cleaning, keeping students in the same groups where possible, planning the school day to allow for physical distancing and staying home when sick. (photography by Chris Schwarz/Government of Alberta)
Alberta’s largest school board says no to United Conservative draft school curriculum

CALGARY — Alberta’s largest school board says it will not use the… Continue reading

Red Deer-South MLA Jason Stephan is among those who have signed an open letter criticizing the government’s return to stricter health measures. (Advocate file photo).
Updated: Kenney tells UCP caucus COVID-19 dissent OK, breaking health rules means expulsion

15 MLAs released letter on Wednesday critical of new health restrictions

Prime Minister Justin Trudeau watches a speaker appear by videoconference during a news conference in Ottawa, Friday, April 9, 2021. Grassroots Liberals have overwhelmingly endorsed a resolution calling on the federal government to develop and implement a universal basic income — despite Prime Minister Justin Trudeau's apparent lack of enthusiasm for the idea. THE CANADIAN PRESS/Adrian Wyld
Trudeau winds up Liberal convention with election campaign-style speech

OTTAWA — Justin Trudeau wound up a three-day Liberal convention Saturday with… Continue reading

Team Canada skip Brendan Bottcher makes a shot against Italy at the Men's World Curling Championships in Calgary, Alta., Tuesday, April 6, 2021.THE CANADIAN PRESS/Jeff McIntosh
Men’s world curling championship in Calgary in COVID limbo

CALGARY — The men’s world curling championship in Calgary remained suspended Saturday… Continue reading

Pipes intended for construction of the Keystone XL pipeline are shown in Gascoyne, N.D. on Wednesday April 22, 2015. THE CANADIAN PRESS/Alex Panetta
Non-profit Quebec law centre to aid environmental group targeted by Alberta oil firm

QUEBEC — The Quebec Environmental Law Centre is coming to the aid… Continue reading

Conservative leader Erin O'Toole holds a press conference on Parliament Hill in Ottawa on Tuesday, April 6, 2020. Top Tory leaders of past and present will speak with supporters today about what a conservative economic recovery from COVID-19 could look like. THE CANADIAN PRESS/Sean Kilpatrick
Conservatives cite empathy, relationships as ways to help expand their movement

OTTAWA — Conservatives should show empathy with Black residents who say they’ve… Continue reading

NDP Leader John Horgan celebrates his election win in the British Columbia provincial election in downtown Vancouver, B.C., Saturday, Oct. 24, 2020. New Democrats are reconvening for the second day of a three-day policy convention as they look to push past the glitches of the virtual event's opening sessions and rally around keynote speaker John Horgan. THE CANADIAN PRESS/Jonathan Hayward
New Democrats reconvene as hiccups, frustrations plague national policy convention

OTTAWA — New Democrats reconvened Saturday for the second day of a… Continue reading

FILE - In this Monday, Oct. 23, 2017 file photo, President Donald Trump speaks during a joint statement with Singapore's Prime Minister Lee Hsien Loong in the Rose Garden of the White House in Washington. Former President Donald Trump plans to affirm his commitment to the Republican Party — and raise the possibility that someone else will be the GOP's next presidential nominee — in a closed-door speech to donors Saturday night, April 10, 2021. (AP Photo/Evan Vucci, File)
Trump in 2024? He says only that ‘a Republican’ will win

PALM BEACH, Fla. — Former President Donald Trump plans to affirm his… Continue reading

A cruise ship sits docked waiting for passengers to be evacuated in Kingstown, on the eastern Caribbean island of St. Vincent, Friday, April 9, 2021 due to the eruption of La Soufriere volcano. (AP Photo/Orvil Samuel)
Ash-covered St. Vincent braces for more volcanic eruptions

KINGSTOWN, St. Vincent — People who ignored an initial warning to evacuate… Continue reading

Owner of 4 Point Taekwondo Kevin Mejia holds a board as organizer and martial artist Kevin Olsen breaks it in Edmonton on Friday, April 9, 2021. One hundred martial artists from around the world, will be breaking a board for an event called "Break for a Breakthrough." The idea is for martial artists to unite and re-engage with the arts because they may have drifted away or lost enthusiasm as a result of the pandemic. THE CANADIAN PRESS/Jason Franson
Break for a Breakthrough: Canadian hosts international martial arts demonstration

EDMONTON — Whether he’s breaking a wooden board, a clay tile, cement… Continue reading

Most Read