Microsoft has disclosed evidence that “Hafnium,” a new Chinese hacking group, has been targeting US servers running Microsoft’s email system.
Following the 2020 US Treasury Department hack which involved compromised Microsoft Office accounts, Microsoft has now disclosed a separate attack on its systems. Organized by a group Microsoft has codenamed “Hafnium,” it’s described as a “highly skilled and sophisticated” attack.
“Today, we’re sharing information about a state-sponsored threat actor identified by the Microsoft Threat Intelligence Center (MSTIC) that we are calling Hafnium,” said Microsoft in a blog announcement. “Hafnium operates from China, and this is the first time we’re discussing its activity. It is a highly skilled and sophisticated actor.”
Hafnium — unrelated to the material used in Intel processors — is based in China. However, “it conducts its operations primary from leased virtual private servers (VPS) in the United States.”
“Recently, Hafnium has engaged in a number of attacks using previously unknown exploits targeting on-premises Exchange Server software,” continues Microsoft. “First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access.”
“Second, it would create what’s called a web shell to control the compromised server remotely,” says the announcement. “Third, it would use that remote access – run from the U.S.-based private servers – to steal data from an organization’s network.”
Microsoft says that it has “worked quickly to deploy an update” to address the “Hafnium exploits.” However, it also says that the attack technique targeted only business customers.
“We strongly encourage all Exchange Server customers to apply these updates immediately,” it says. “Exchange Server is primarily used by business customers, and we have no evidence that Hafnium’s activities targeted individual consumers or that these exploits impact other Microsoft products.”
Microsoft also reports that it has briefed “appropriate US government agencies on this activity.”
According to the company, this is the eighth time in a year that it has uncovered and disclosed “nation-state groups targeting institutions critical to civil society.” While all of these were concerned with corporations instead of individuals, there have previously been vulnerabilities in Microsoft Office that affected Mac users.