Cybersecurity Group Says Chinese Regime-Linked Hackers Hit Multiple US Targets

March 5, 2021 Updated: March 5, 2021

Cybersecurity group FireEye said Thursday it found evidence that hackers linked to the Chinese regime exploited a flaw in a Microsoft email application to go after a number of American targets, including a university and local governments.

FireEye analysts wrote in a blog post that the company built “higher-fidelity detections” and launched multiple threat hunting campaigns after Microsoft confirmed earlier this week that a Chinese state-sponsored hacking group known as “Hafnium” had exploited vulnerabilities in Microsoft’s Exchange Server email program.

Using its array of detection methods and tools, FireEye found that “the activity reported by Microsoft aligns with our observations” and said that the Hafnium hackers targeted a range of victims, including “U.S.-based retailers, local governments, a university, and an engineering firm,” as well as a Southeast Asian government and a Central Asian telecom.

FireEye said Hafnium hackers earlier targeted U.S.-based universities, defense contractors, and infectious disease researchers.

The analysts said FireEye is currently tracking the malicious activity in three clusters, but warned that they expect to find additional clusters as they respond to intrusions.

“We recommend following Microsoft’s guidance and patching Exchange Server immediately to mitigate this activity,” the analysts said.

For those looking for potential evidence of compromise, FireEye recommends checking for files written to the system by w3wp.exe or UMWorkerProcess.exe, non-existent resources, and suspicious or spoofed HTTP User-Agents.

“In our investigations to date, the web shells placed on Exchange Servers have been named differently in each intrusion, and thus the file name alone is not a high-fidelity indicator of compromise,” the analysts said.

It comes days after Microsoft said in a blog post that the Chinese regime-linked hacking campaign made use of four previously undetected vulnerabilities in different versions of the Exchange Server software.

Microsoft sign in Los Angeles
The Microsoft sign is shown on top of the Microsoft Theatre in Los Angeles, Calif., on Oct. 19, 2018. (Mike Blake/File/AP)

Microsoft’s suite of products has been under scrutiny since the hack of SolarWinds, the Texas-based software firm that served as a springboard for several intrusions across government and the private sector. In other cases, hackers took advantage of the way customers had set up their Microsoft services to compromise their targets or dive further into affected networks.

Hackers who went after SolarWinds also breached Microsoft itself, accessing and downloading source code—including elements of Exchange, the company’s email, and calendaring product.

Ahead of the Microsoft announcement, the hackers’ increasingly aggressive moves began to attract attention across the cybersecurity community.

Mike McLellan, director of intelligence for Dell Technologies Inc’s Secureworks, said ahead of the Microsoft announcement that he had noticed a sudden spike in activity touching Exchange servers overnight on Sunday, with around 10 customers affected at his firm.

McLellan said that for now, the hacking activity he had seen appeared focused on seeding malicious software and setting the stage for a potentially deeper intrusion rather than aggressively moving into networks right away.

“We haven’t seen any follow-on activity yet,” he said. “We’re going to find a lot of companies affected but a smaller number of companies actually exploited.”

Microsoft said targets included infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and non-governmental groups.

Reuters contributed to this report.

Follow Tom on Twitter: @OZImekTOM