Businesses and government agencies in the United States that use a Microsoft email service have been compromised in an aggressive hacking campaign that was probably sponsored by the Chinese government, Microsoft said.
The number of victims is estimated to be in the tens of thousands and could rise, some security experts believe, as the investigation into the breach continues. The hackers had stealthily attacked several targets in January, according to Volexity, the cybersecurity firm that discovered the hack, but escalated their efforts in recent weeks as Microsoft moved to repair the vulnerabilities exploited in the attack.
The U.S. government’s cybersecurity agency issued an emergency warning on Wednesday, amid concerns that the hacking campaign had affected a large number of targets. The warning urged federal agencies to immediately patch their systems. On Friday, the cybersecurity reporter Brian Krebs reported that the attack had hit at least 30,000 Microsoft customers.
“We’re concerned that there are a large number of victims,” the White House press secretary, Jen Psaki, said during a press briefing on Friday. The attack “could have far-reaching impacts,” she added.
Microsoft said in a blog post, but Microsoft said it had no sense of how extensive the theft was.
The campaign was detected in January, said Steven Adair, the founder of Volexity. The hackers quietly stole emails from several targets, exploiting a bug that allowed them to access email servers without a password.
“This is what we consider really stealth,” Mr. Adair said, adding that the discovery set off a frantic investigation. “It caused us to start ripping everything apart.” Volexity reported its findings to Microsoft and the U.S. government, he added.
But in late February, the attack escalated. The hackers began weaving multiple vulnerabilities together and attacking a broader group of victims. “We knew that what we had reported and seen used very stealthily was now being combined and chained with another exploit,” Mr. Adair said. “It just kept getting worse and worse.”
Jake Sullivan, the White House national security adviser.
“This is the real deal,” tweeted Christopher Krebs, the former director of the U.S. Cybersecurity and Infrastructure Agency. (Mr. Krebs is not related to the cybersecurity reporter who disclosed the number of victims.)
Mr. Krebs added that companies and organizations that use Microsoft’s Exchange program should assume that they had been hacked sometime between Feb. 26 and March 3, and work quickly to install the patches released this past week by Microsoft.
In a statement, Jeff Jones, a senior director at Microsoft, said, “We are working closely with the C.I.S.A., other government agencies and security companies to ensure we are providing the best possible guidance and mitigation for our customers.”
Microsoft said a Chinese hacking group known as Hafnium, “a group assessed to be state-sponsored and operating out of China,” was behind the hack.
Since the company disclosed the attack, other hackers not affiliated with Hafnium began to exploit the vulnerabilities to target organizations that had not patched their systems, Microsoft said. “Microsoft continues to see increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors,” the company said.