US cyber chief reports ‘widespread’ hacks after Microsoft app flaw

The nation’s top cybersecurity official told lawmakers Wednesday that the federal government is seeing “widespread” hacking using recently uncovered vulnerabilities in a Microsoft email application, with researchers saying almost a dozen hacking groups have used the flaw to target a variety of organizations.

Brandon Wales, the acting director of the Cybersecurity and Infrastructure Security Agency (CISA), testified to a House committee that the previously unknown vulnerabilities on Microsoft Exchange Server have been exploited globally and could have long-lasting consequences.

“CISA is already aware of widespread exploitation of the vulnerabilities, and trusted partners have observed malicious actors using these vulnerabilities to gain access to targeted organizations in the United States and globally,” Wales testified to the House Appropriations Homeland Security Subcommittee. 

“Importantly, once an adversary gains access to a Microsoft Exchange Server, they can access and control an enterprise network even after the vulnerabilities are patched, and malicious exploitation could be executed by actors with various motivations, from stealing information to executing ransomware attacks to physically damaging infrastructure,” he warned.

Wales’s testimony came a week after CISA issued an emergency directive ordering all federal agencies to investigate for signs of compromise and if found to immediately patch their systems to prevent exploitation.

The move came shortly after Microsoft announced that a Chinese state-sponsored hacking group known as “Hafnium” had been using the vulnerabilities to target U.S. organizations. 

Eric Goldstein, the executive assistant director for Cybersecurity at CISA, testified Wednesday that while no U.S. federal agency was confirmed to have been compromised by the incident, the investigation was ongoing. 

“We are working with individual agencies to assess the results of their forensic analysis, at this point in time, there are no federal civilian agencies that are confirmed to have been compromised,” Goldstein told the same House subcommittee. “This is an evolving campaign with information coming in by the hour.”

While U.S. federal agencies may not have been hit, thousands of other organizations were, with The Wall Street Journal reporting earlier this week that up to 250,000 groups may have been compromised worldwide. 

FireEye found evidence last week that the hackers had been exploiting the security flaws since as early as January, with victims including U.S. local governments, retailers and universities.

The vulnerabilities have been exploited globally as well, with the European Banking Authority launching an investigation into its own compromise earlier this week and the Czech Republic’s National Office for Cyber and Information Security announcing last week that it was assisting affected organizations.

The risks have also expanded, with new research released Wednesday by cybersecurity group ESET concluding that the Hafnium hacking group was one of at least 10 hacking cells exploiting the Microsoft vulnerabilities to break into targeted organizations.

In light of the massive scope of the cyber incident, federal officials have increasingly called on U.S. groups to patch their systems. CISA tweeted this week to strongly urge “ALL organizations across ALL sectors to follow guidance to address the widespread domestic and international exploitation of Microsoft Exchange Server product vulnerabilities.”

The White House National Security Council (NSC) also urged action this week. 

“Patching and mitigation is not remediation if the servers have already been compromised,” the NSC tweeted. “It is essential that any organization with a vulnerable server take immediate measures to determine if they were already targeted.”