The attack exploited four zero-day flaws in Microsoft Exchange Server email software and affected approximately a quarter of a million servers worldwide. Affected victims included the European Banking Authority, Norwegian parliament, and other banks, retailers, universities, and electricity providers.
Microsoft attributed a Chinese APT group as the source of the attack. Tom Burt, corporate vice president of customer security and trust at Microsoft, stated that the attacks were carried out by “a state-sponsored threat actor” that Microsoft’s threat intelligence center dubbed Hafnium.
The White House stated in a release that China’s Ministry of State Security contracted exploitation of Microsoft Exchange Servers to criminal organizations and these criminal groups engaged in ransomware attacks, cyber enabled extortion, crypto-jacking, and rank theft.
Collaboration between nation-state threat groups and cybercriminals will increase attribution challenges. Jeff Barker, vice president at the cybersecurity company Illusive, noted that a “nation-state may use a ransomware group to mask their activities.”
Incidents such as the massive SolarWinds Orion supply chain cyberattack and targeted attacks against Microsoft Exchange Server have prompted industry concern over third-party risk management practices and regulatory attention. This month, the US Federal Reserve, Office of the Comptroller of the Currency, and the FDIC jointly proposed guidance on third-party risk management procedures.
Hafnium primarily targets US companies to obtain their private data, according to a Microsoft post on the incident. These data leaks could allow companies affected by the hack to be exploited further.