Chinese Hackers Allegedly Take Advantage of a Microsoft Exchange Flaw To Steal Call Records
In early March, Microsoft revealed that flaws in its Microsoft Exchange software were being exploited by a Chinese hacking crew known as Hafnium. The group, it revealed, had been carrying out targeted attacks on several organizations. This includes law firms, defense contractors, NGOs, and even infectious disease researchers. The vulnerable systems targeted include email platforms used by these organizations.
When the attacks occur, the hackers leave behind a tool known as a web shell. A web shell is a top-protected hacking tool that is easily accessible over the internet. This makes unpatched Exchange servers most vulnerable. This is because the web shell gives the hacker unfettered remote access to the victim’s computer. Reports have emerged that hundreds of thousands of Microsoft Exchange servers have been compromised this way. Each compromised server represents an organization that uses Exchange as part of its administrative setup.
Hafnium has also been blamed for a string of attacks on a Southeast Asian telecommunication company. In this instance, the hackers targeted and stole call logs from the unnamed company beginning from late 2020, even before the Microsoft Exchange hack was discovered.
The hacking group has been in operation since 2017 and has managed to evade detection the entire time. A report in 2019 revealed that the group breached the security of 10 telecom companies in Africa, the Middle East, Europe, and Asia. At the moment, the group has joined two other hacking teams with ties to China to carry out the same kinds of attacks.
Cybersecurity company Volexity is credited with first detecting the breach. The company noticed a massive transfer of data from Microsoft Exchange’s servers in early January 2021. Unfortunately, this was within the period the world was distracted by the United States’ Capitol riot. Steven Adair, Volexity’s president, stated that the hackers would most likely accelerate their actions in the coming months. Organizations who are unable to make the required changes to their systems and upload the security upgrades Microsoft made available will be the most vulnerable.
“As bad as it is now, I think it’s about to get a lot worse,” Adair said. “This gives them a limited amount of opportunity to go and exploit something. The patch isn’t going to fix that if they left their backdoor behind.”
In a swift reaction, on March 2, Microsoft released security updates to tackle the vulnerabilities the hackers were exploiting in Exchange server versions 2013 through 2019.
The company further stated that it was working with the United States’s Cybersecurity & Infrastructure Security Agency (CISA) to offer guidance to customers on the way forward. “The best protection is to apply updates as soon as possible across all impacted systems,” a company spokesperson said.
Microsoft, however, added that the attacks did not affect customers using the Exchange Online Service. Nonetheless, it is certain that most of the organizations that have been compromised used some form of Microsoft Outlook Web Access (OWA), in addition to internal Exchange servers.
Link to China
In July, the White House formally blamed China for exploiting the Microsoft Exchange flaw to perpetuate the attack. The United States released a statement urging the Chinese authorities to “adhere to international relations norms and not allow its territory to be used for malicious cyber activities, and take all appropriate measures and reasonably available and feasible steps to detect, investigate and address the situation.”
Assaf Dahan, head of target research at Cybereason, a cybertechnology company, established the hackers’ links to China. According to Dahan, the nature of the attacks and the overlap of tactics and targets suggest that the hackers have the same origin – the Chinese government. More so, the targets have all been of interest to the Chinese authorities, most importantly, political dissidents.
However, there is no concrete way to link the attacks back to China. This is because it is hard to trace attacks on telecommunication outfits to particular individuals or governments. It is much easier if the attacks are on an individual basis, such as where spyware is embedded on a victim’s device. Going after telecom providers also has another benefit: it blurs the identity of the end targets. Telecom users come from a large pool of individuals across several countries. Since no specific end-user is targeted, law enforcement agencies will find it difficult to detect the attacks or prevent them.
According to Dahan, even though the primary targets of the Microsoft Exchange attacks were Southeast Asian countries, there is the possibility that people in other regions could also have been targeted.
A top-level security expert mentioned that it was bewildering the nature of the attacks from China. The security expert revealed that the move was reckless and out of character for China.
The Chinese authorities, expectedly, denied responsibility for the attack.