A week after Microsoft announced that its widely used email server program had been hacked, experts are not encouraged by what they have found.
“In short, it's gotten really messy,” said Katie Nickels, the director of intelligence at the cybersecurity firm Red Canary. “We are seeing no signs of this slowing down.”
The cybersecurity community sprang into action after Microsoft first announced a series of vulnerabilities that let hackers break into the company's Exchange email and calendar programs. China has used it to spy on a wide range of industries in the United States ranging from medical research to law firms to defense contractors, the company said. China has denied responsibility.
But it hasn't stopped there. Microsoft's announcement has complicated the situation, with efforts to fix the flaws appearing to have drawn more hackers to exploit organizations that haven’t yet updated the software.
Nickels said she’d seen indications five different hacker groups, whose identities are unknown, were now exploiting it.
The list of victims is growing, said Ben Read, the director of threat analysis at the cybersecurity company Mandiant.
“It’s big,” he said. “We're above 40 incidents we're responding to, just current customers we have. We're at over 500 likely victims based on confirmation of likely sources.”
While there is no official, public list of victims, the full tally is “definitely in the tens of thousands,” Read said. “There's definitely a lot of small-, medium-sized entities. That's the customer base of Exchange.”
A White House National Security Council spokesperson said in an emailed statement that the Biden administration “is undertaking a whole-of-government response to assess and address the impact.”
“This is an active threat still developing,” the spokesperson said.
While there have been no reports so far that any government agencies have been affected, the U.S. Cybersecurity and Infrastructure Security Agency, the country's primary cybersecurity agency, on Wednesday exercised its emergency powers to force government agencies to update to the latest version of Exchange.
In an unusually candid message, the agency then tweeted Monday evening that “CISA urges ALL organizations across ALL sectors to follow guidance to address the widespread domestic and international exploitation of Microsoft Exchange Server product vulnerabilities.”
The hack started quietly, as a more surgical operation. Initially, the only hackers exploiting Exchange were the ones Microsoft identified as Chinese spies, sometime around the beginning of the year, researchers say.
Near the end of January, the cybersecurity company Volexity noticed hackers spying on two of its customers and alerted Microsoft so it could begin working on a fix in its next Exchange software update.
“They were using that explicitly to steal emails,” Volexity President Steven Adair said in a phone call. “It was under the radar.”
Adair said that after he told Microsoft, he noticed a change in the hackers’ activity: They seemed to realize a patch was coming, so they moved from stealthily reading emails to trying to create footholds to stay in their victims’ networks, which made them far more visible to cybersecurity defenders.
“You don't care if they're noisy, because you’re trying to beat a patch,” he said of the hackers’ pivot. “You found your high-priority targets, you’ve been stealing emails, and now you want to move on. Maybe you want to build infrastructure to launch future attacks.”
Nickels, of Red Canary, said that hackers began frantically exploiting the Exchange vulnerabilities around the end of February, and it’s escalated since.
“We continued to see exploitation of these vulnerabilities over the weekend,” she said. “Any organization with an Exchange server needs to take it very seriously.”