The attack is already believed to be bigger than a December intrusion by Russian hackers known as SolarWinds, which affected at least 250 federal agencies and businesses. Last month, members of Congress questioned industry leaders about why the Russian attack had gone undetected.
The latest attack exploited holes in Exchange, a mail and calendar server created by Microsoft and used by a broad range of customers, from small businesses to federal government agencies. The hackers were able to steal emails and install malware to continue surveillance of their targets, Microsoft said in a blog post.
“Highly skilled attackers continue to innovate in order to bypass defenses and gain access to their targets, all in support of their mission and goals,” researchers from Volexity wrote in a blog post. “These attackers are conducting novel attacks to bypass authentication, including two-factor authentication, allowing them to access email accounts of interest within targeted organizations and remotely execute code on vulnerable Microsoft Exchange servers.”
The hackers targeted as many victims as they could find across the internet, hitting small businesses, local governments and large credit unions, according to one cybersecurity researcher who has studied the U.S. investigation into the hacks who is not authorized to speak publicly about the matter. The flaws used by the hackers, known as zero-days, were previously unknown to Microsoft.
“We are closely tracking Microsoft’s emergency patch for previously unknown vulnerabilities in Exchange Server software and reports of potential compromises of U.S. think tanks and defense industrial base entities,” said Jake Sullivan, the White House national security adviser.