FireEye finds evidence Chinese hackers exploited Microsoft email app flaw since January

Cybersecurity group FireEye on Thursday night announced it had found evidence that hackers had exploited a flaw in a popular Microsoft email application since as early as January to target groups across a variety of sectors. 

FireEye analysts wrote in a blog post that the company had observed the hackers — who Microsoft announced earlier this week were a Chinese state-sponsored hacking group known as “Hafnium” — exploiting vulnerabilities in Microsoft’s Exchange Server email program to target at least one FireEye client beginning in January.

Since then, FireEye found evidence that the hackers had gone after an array of victims, including “US-based retailers, local governments, a university, and an engineering firm,” along with a Southeast Asian government and a Central Asian telecom. 

The news comes two days after Microsoft said the Chinese hacking group was actively exploiting previously unknown security flaws in Exchange Server to go after groups running the program. 

Microsoft noted that Hafnium had previously been known to steal information from organizations including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and nongovernmental organizations. 

FireEye analysts wrote Thursday night that “the activity reported by Microsoft aligns with our observations.”

“The activity we have observed, coupled with others in the information security industry, indicate that these threat actors are likely using Exchange Server vulnerabilities to gain a foothold into environments,” the analysts wrote. “This activity is followed quickly by additional access and persistent mechanisms. As previously stated, we have multiple ongoing cases and will continue to provide insight as we respond to intrusions.”

The federal government may have also been affected by the email application vulnerability, which Microsoft issued a patch for earlier this week. 

The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive requiring federal agencies to investigate for signs of compromise and to either patch or disconnect from the Exchange Server program if a compromise had taken place.

Jake Sullivan, President Biden’s national security adviser, encouraged all network owners to immediately implement the Microsoft patch Thursday night. 

“We are closely tracking Microsoft’s emergency patch for previously unknown vulnerabilities in Exchange Server software and reports of potential compromises of U.S. think tanks and defense industrial base entities,” Sullivan tweeted. 

Former CISA Director Christopher Krebs also underlined the potential seriousness of the breach, tweeting Thursday night that “this is the real deal,” and encouraging organizations running Exchange Server to go into “incident response mode.”

The newly discovered compromise comes as the federal government is still investigating a massive Russian cyber espionage attack that was ongoing for at least a year prior to discovery. 

The breach, which has become known as the SolarWinds hack, involved the hackers exploiting software from IT group SolarWinds to target up to 18,000 of its customers. As of last month, at least nine federal agencies and 100 private sector groups had been compromised. 

Both FireEye and Microsoft were among the groups compromised by as part of the hacking operation, with FireEye widely credited for drawing attention to the incident by coming forward publicly in December after it was breached.