Thousands of companies have been affected by security vulnerabilities in Microsoft Exchange on-premise servers. The flaws are impacting organizations throughout the industry and beyond as it’s the second mass-exploitation in three months.

The threat actors responsible for the attacks are suspected to be Hafnium, a People’s Republic of China (PRC) State-Sponsored group. The Hafnium Group, is primarily targeting U.S. organizations such as law firms, disease researchers, education, think tanks, and many others in the PRC’s continual effort to steal U.S. intellectual property.

State-Sponsored threats like Hafnium can be dangerous for organizations in the U.S. A State-Sponsored threat is unique in that the threat actors – cyber espionage operators, have the full support of the Chinese government when attacking U.S. companies.

For many threat groups around the world, financial gain is the primary motive for attacking organizations. With the Chinese State-Sponsored threat, their primary focus is theft of intellectual property, more so than the theft of classified U.S. information. Over the past year, popular targets were research facilities which held vaccine information relating to Covid-19. In May, a leading Covid-19 therapeutics institution, Gilead Sciences, was targeted by Chinese threats where threat actors attempted to collect passwords from executives through fake email login pages. In another instance, Johnson & Johnson’s CISO was quoted this past December saying state-sponsored threats were attacking them “every single minute of every single day”.  SpearTip has a long history of conducting counterespionage investigations displaying the PRC’s tradecraft of blending traditional HUMINT and cyber espionage activity by Chinese scientist and state-actors. They are often cited as advanced persistent threats (APT) for a reason.

When the Exchange vulnerabilities came to light, Hafnium used an aggressive approach in attacking organizations. By installing web shells, Hafnium threat actors left a backdoor into networks which gave them complete, remote control, ability to read all emails, and also gave easy access to move laterally across networks to other victim machines. Microsoft’s security team was aware of the vulnerabilities in January but wanted to work to notify all users of the servers before it became public to threat actors to avoid the mass-scan and inevitable exploitation. Unfortunately, Hafnium and other threat groups became aware of a published proof-of-concept (PoC) and they began to exploit the vulnerabilities immediately.  Even though the Chinese attacks have become more brazen over the years, the Hafnium exploitation was extremely “noisy” and still a bit out of character.  SpearTip continues to analyze the exploit/impact and follow-on actions that will be leveraged by this group.

If you’re a leader in your organization, imagine what the ramifications would be if people outside your business could access and read company emails. Going through your response process with a security firm and legal teams will help you stop these persistent threats. This won’t be the last time thousands of organizations are affected all at once.  Be prepared to act.

All it takes is one exposed vulnerability to ignite a mass-scan by threat actors. Security firms are essential in protection because they have dedicated teams analyzing and unpacking malware to understand how it operates and what the threat actors are trying to accomplish. So, when another large-scale attack happens, think about how your organization is approaching company security.

A continuous 24/7 investigation cycle provides the most impactful action when responding to state-sponsored threats. Understanding their motives, tactics, techniques, and procedures is the only way to be able to stop them.

It’s not your average cybercriminal on the other side of these attacks. It’s a highly sophisticated team of threat actors with malicious intent and the ability to thwart almost all of your general security tools. You need to match that expertise in your proactive defense in order to stop threats from doing damage to your organization and Outmaneuver Your Adversary ®.