Microsoft accuses China-based group for cyber-attack on its ‘Exchange Server’

The exploits the company discussed were in no way connected to the separate SolarWinds-related attacks, which hit US government agencies late last year. (Photo: AFP)


Microsoft, in its latest blogpost, has blamed Chinese espionage group for cyber-attack on its ‘Exchange Server’ software of the tech giant.

The blogpost released on Tuesday said the group, that the company named Hafnium, was a highly skilled and sophisticated actor that operates from China.

Historically, Hafnium primarily targets entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs.

“While Hafnium is based in China, it conducts its operations primarily from leased virtual private servers (VPS) in the United States,” said Tom Burt, Corporate Vice President, Customer Security and Trust at Microsoft.

This is the eighth time in the past 12 months that the tech giant has openly accused a nation-state group of targeting policy think tanks and non-governmental groups.

Burt in his post said the “attacks included three steps. First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what’s called a web shell to control the compromised server remotely. Third, it would use that remote access – run from the U.S.-based private servers—to steal data from an organization’s network.”

Considering the cyber attacks, the company has released security updates that will protect customers running Exchange Server and urged all Exchange Server customers to apply these updates immediately.

“Exchange Server is primarily used by business customers, and we have no evidence that Hafnium’s activities targeted individual consumers or that these exploits impact other Microsoft products,” Burt said.

The exploits the company discussed were in no way connected to the separate SolarWinds-related attacks, which hit US government agencies late last year.

“We continue to see no evidence that the actor behind SolarWinds discovered or exploited any vulnerability in Microsoft products and services,” it said.