Microsoft hack: Biden launches emergency taskforce to address cyber-attack

The ‘unusually aggressive’ attack allowed hackers to access email accounts of at least 30,000 organizations in the US

The Biden administration is launching an emergency taskforce to address an aggressive cyber-attack that has affected hundreds of thousands of Microsoft customers around the world – the second major hacking campaign to hit the US since the election.

The attack, first reported by security researcher Brian Krebs on 5 March, allowed hackers to access the email accounts of at least 30,000 organizations in the US.

These back channels for remote access can affect credit unions, town governments and small business, and have left US officials scrambling to reach victims, with the FBI on Sunday urging them to contact the law enforcement agency.

The “unusually aggressive” attack infiltrated accounts using tools that give the attackers “total, remote control over affected systems”, cybersecurity experts briefed on the topic told Krebs.

On Saturday the Cybersecurity and Infrastructure Security Agency (Cisa) encouraged all organizations using Microsoft Exchange to scan devices for vulnerabilities. The breach represents “a significant vulnerability that could have far-reaching impacts”, the White House press secretary, Jen Psaki, said in a press briefing on Friday.

“First and foremost, this is an active threat,” she said. “We are concerned that there are a large number of victims and are working with our partners to understand the scope of this.”

The latest hack comes on the heels of SolarWinds, a separate series of sophisticated attacks attributed to Russia that breached about 100 US companies and nine federal agencies.

Microsoft said it has seen “no evidence that the actor behind SolarWinds discovered or exploited any vulnerability in Microsoft products and services”.

Researchers say the recent hack began as a controlled attack on a few large targets starting in late 2020 and was detected in early January as it developed into a more widespread campaign. Additional attacks are expected from other hackers as the code used to take control of the mail servers spreads.

The Biden administration has launched a multi-agency effort initiated by the national security council, that includes the FBI, Cisa and others, the US official said, to determine who has been hacked, what has been done, and how to quickly patch the vulnerabilities.

Microsoft first issued patches for the attack on Tuesday, but fixing the issue will be more complicated as these patches do not undo the damaged already caused, said Oliver Tavakoli, the chief technology officer at California-based security firm Vectra.

“Patching their Exchange servers will prevent an attack if their Exchange server has not already been compromised,” Tavakoli said. “But it will not undo the foothold attackers have on an already compromised Exchange server.”

The European Banking Authority, the European Union’s banking regulator, which gathers and stores swaths of sensitive data about banks and their lending, confirmed on Monday it had been affected. It said it believed the cyber-attack had struck only its email servers and that no data had been obtained. Psaki declined to answer in this weekend’s press conference whether any large US government bodies were affected by the breach, and other targets have not yet been named.

A person working with the US response told Reuters that the attack had been blamed on a Chinese government-backed actor. Microsoft has also attributed the attack to China. A Chinese government spokesman said the country was not behind the intrusions, according to Reuters.

The latest hack comes on the heels of SolarWinds, a separate series of sophisticated attacks attributed to Russia that breached about 100 US companies and nine federal agencies.

“We continue to see no evidence that the actor behind SolarWinds discovered or exploited any vulnerability in Microsoft products and services,” the company said.

A Microsoft spokesman said in a statement the company is working closely with Cisa, other government agencies and security companies to respond to the hack.

“The best protection is to apply updates as soon as possible across all impacted systems. We continue to help customers by providing additional investigation and mitigation guidance,” he said. “Impacted customers should contact our support teams for additional help and resources.”

The most recent Microsoft hack, which one former national security official briefed on the matter called “absolutely massive” in an interview with Wired, may end up being larger than the historically large SolarWinds attack that prompted a congressional hearing this month.

At that hearing, tech executives including Microsoft’s president, Brad Smith, said hacks like these were difficult to address as many organizations do not publicly announce breaches until long after they are discovered.

Meanwhile, handling this hack so close to the recent SolarWinds attacks will be difficult for US agencies, said Tavakoli.

“This hack will compete for the same investigative and remediation resources, so having two such broad attacks occur near the same time places exorbitant strain on the resources,” he said.

Reuters contributed to this report


Kari Paul

The GuardianTramp

Related Content

Article image
Suspected Russian cyber-attack growing in scale, Microsoft warns
Government agencies around world among targets in SolarWinds ‘espionage-based’ hack

Dan Sabbagh Defence and security editor

18, Dec, 2020 @5:07 PM

Article image
The state of cyber security: we’re all screwed
Sophisticated cybercrime, privacy fears and ongoing confusion about security have soured the internet for many, and doing something about it won’t be easy

Dan Tynan in Las Vegas

08, Aug, 2016 @7:07 PM

Article image
Microsoft seeks Biden's support in case against Israeli spyware firm
Microsoft’s president says NSO Group enables more nation-states to deploy cyber-attacks, including against journalists and activists

Stephanie Kirchgaessner in Washington

18, Dec, 2020 @7:44 PM

Article image
Why US elections remain 'dangerously vulnerable' to cyber-attacks
Officials have dragged their feet on updating machines and securing data – and a climate of fear could undermine voter confidence

Andrew Gumbel in Los Angeles

13, Aug, 2018 @11:00 AM

Article image
Wetherspoon hack: customer details stolen in latest cyber-attack
Hackers steal 657,000 personal details from old website database but pub chain says stolen data is ‘extremely limited’

Julia Kollewe

04, Dec, 2015 @12:49 PM

Article image
US charges seven Iranian hackers over cyber-attacks on banks
Department of Justice indicts hackers linked to Iran government for disrupting computer systems in first shift in US-Iranian relations since nuclear treaty

Danny Yadron in San Francisco and Saeed Kamali Dehghan in London

24, Mar, 2016 @4:32 PM

Article image
SolarWinds: company at the core of the Orion hack falls under scrutiny
Texas-based firm, which has become an industry dominant player, provides monitoring services to corporations and federal agencies

Kari Paul and agencies

16, Dec, 2020 @8:36 PM

Article image
Largest US pipeline to restart operations after hack shut it down for nearly a week
Announcement comes amid fuel shortages in south-east, with panicked drivers filling up their tanks

Oliver Milman

13, May, 2021 @1:38 AM

Article image
Tech firm hit by giant ransomware hack gets key to unlock victims’ data
Kaseya’s universal key can free the files of hundreds of organizations, ending the worst of the attack’s fallout

Kari Paul and agencies

22, Jul, 2021 @11:47 PM

Microsoft: critical alert

Microsoft warned customers yesterday about unusually serious security problems with its Windows software that could let hackers quietly break into their computers to steal files, delete data or eavesdrop on sensitive information.

11, Feb, 2004 @11:43 AM