As President Joe Biden contemplates reprisals against the Russian hackers whose attack on another software company, SolarWinds, which went public in December, the Hafnium hack has become a huge free-for-all, and its consequences could be even worse. As experts sprint to fill the holes opened by Chinese hacking, officials say the U.S. government is focusing closely on what’s going on next to thousands of newly vulnerable servers – and how to respond to China.
“The doors are wide open for any bad actor who wants to do anything on your Exchange server and the rest of your network,” says Sean Koessel, vice president of Volexity, the cybersecurity company that helped uncover the hacking activity. “The best case is espionage – someone who just wants to steal your data. The worst-case scenario is the entry and deployment of ransomware across the network. “
The distinction between the two attacks is not just about the technical details, or even the country that committed them. Although 18,000 companies downloaded the compromised SolarWinds software, the number of true targets was only a fraction of that size. Hafnium, meanwhile, was much more blind.
“Both started as spy campaigns, but the difference really is in the way they were carried out,” says Dmitri Alperovitch, chairman of the Silverado Policy Accelerator and co-founder of security firm CrowdStrike. “The Russian SolarWinds campaign was carried out with great care, where the Russians took on the targets they held dear and closed access everywhere else, so that neither they nor anyone else could access those targets. that did not interest them.
“Compare that with the Chinese campaign,” he said.
“On February 27, they realize the patch is going to come out, and they literally scan the world to compromise everyone. They have left web shells that can now allow others to access these networks, even ransomware players. This is why it is very reckless, dangerous and to which it is necessary to react. “
The start of the Hafnium campaign was “very little known,” says Koessel.
The hack was missed by most security checks: It was only spotted when Volexity noticed strange and specific internet traffic requests from the company’s customers who were running their own Microsoft Exchange mail servers.
A month-long investigation showed that four rare zero-day exploits were being used to steal entire mailboxes – potentially devastating for the individuals and businesses involved, but at this point there were few casualties and the damage was relatively limited. Volexity worked with Microsoft for weeks to fix the vulnerabilities, but Koessel says he saw a major change at the end of February. Not only the number of victims started to increase, but the number of hacker groups also increased.
It is not clear how several government hacking groups became aware of the Zero Day vulnerabilities before Microsoft made a public announcement. So why has the scale of exploitation exploded? Perhaps, some are suggesting, hackers may have realized that their time is almost up. If they knew a patch was coming, how did they find out?
“I think it is very rare to see so many [advanced hacking] groups with access to the exploit for a vulnerability when the details are not public, ”explains Matthieu Faou, who conducts research on Exchange hacks for ESET. “There are two major possibilities,” he says. Either “the details of the vulnerabilities have been disclosed to the threat actors” or another vulnerability research team working for the threat actors “independently discovered the same set of vulnerabilities.”