On The Microsoft Exchange Hack

At the beginning of 2021 the security firm Volexity detected abnormal activities in their customers’ Microsoft Exchange servers which later led to the uncovering of four severe zero-day vulnerabilities. These are flaws that are not known to those interested. Until the root cause is addressed, they can be exploited to affect data, software or possibly networks. In the case of the Microsoft Exchange attacks, these vulnerabilities may have led to data theft, Remote Code Execution (RCE), server hijacking, or more potential threats. Microsoft Exchange is an e-mail, calendar, and collaboration solution which runs on Windows server operating systems and due to its wide variety of clients ranging from small businesses to enterprise giants, the scale of the attack is enormous. Some cybersecurity experts believe the attack affected approximately 30,000 organisations.


Microsoft released an official statement regarding the attacks on March 2, calling the attackers “a state-sponsored threat,” named Hafnium. Microsoft has disclosed that Hafnium operates from China, and that they are a “highly-skilled and sophisticated actor.” They also mentioned Hafnium’s past targets which range from defence contractors to infectious disease researchers along with law firms, higher education institutions, NGOs, and policy think tanks. Though Hafnium was tracked by Microsoft beforehand, it was the first time they have disclosed details regarding the group. Hafnium can be classified as Advanced Persistent Threat (APT). APTs are stealthy threat actors which are typically nation-state or state-sponsored groups, aiming at gaining access to systems and ultimately remaining undetected for a long time. Such groups’ motivations and goals are generally economic or political, so they prioritize maintaining persistent access to ensure they reach their long term goals instead of settling for short term threats or financial gains. For the Exchange attacks, after the initial discovery and spread of the vulnerabilities, a lot of different entities joined in to exploit them. In research conducted by ESET, it was found that at least 10 APTs exploited the vulnerabilities, some accessing the vulnerabilities at zero day. Some of the more notable APTs which used these exploits along with Hafnium are Calypso, Tick, and LuckyMouse.


While several patches have been issued by Microsoft to tackle these vulnerabilities, the estimated number of victims continued to rise because patches and uptake processed at different speeds, affecting different potential victims. Researchers at Huntress observed more than 100 different webshells scattered across 1,500 servers which were still vulnerable, speculating that the numbers would keep rising. Web shells are a piece of code written in common web development programming languages which typically enable remote access and code execution, thus creating what is called a backdoor. As a result, the removal of these web shells, along with the patching procedure, is critical to avoiding future attacks.


In recent years there have been a number of large scale cyber attacks and operations, most notably the SolarWinds attack, which affected up to 18,000 of their customers, and the Russian information warfare targeting both the 2016 and 2020 US presidential elections. However, with the Microsoft Exchange attacks being attributed to a China-linked group, we are witnessing a new trend of attacks specifically targeting global corporations through cyber espionage means.According to Microsoft President Smith, the threat that cyberweapons and cyberwarfare poses is similar to the threat that technological advancements of the past posed to the US. Even with a basic analysis, we notice there are a lot of reasons for using cyber attacks as opposed to traditional means of espionage or warfare. They are less costly to execute, allow the attacker to be relatively stealthy and most importantly can be organised and run in the attackers own territory. With the global cost of cybercrimes in 2021 projected to hit $6 trillion annually, cyber attacks will certainly become more popular in the near future. They are a threat that will continue to escalate, as the growth of technological adoption and concepts such as the Internet of Things (IoT) will make it much easier for potential attackers to spot and exploit vulnerabilities.


Against this backdrop, it is a critical security necessity that governments plan and prepare for cyber attacks, especially during particularly volatile political landscapes. State-sponsored cyber crime will continue to increase; the covert and untraceable nature of cyber attacks grant the anonymity that states manipulate to impact different geopolitical landscapes. Given the unpredictable nature of such attacks, they may trigger diplomatic and/or geopolitical strife. In the upcoming years, we will likely experience how cyberspace will become a critical outlet for geopolitical competition, as nations, corporations, and people will continue to adopt new technologies which creates increased opportunities for cyber attacks.