US urges IT network firms to secure controls after cyberattack

The White House has urged computer network operators to take further steps to gauge whether their systems were affected amid a hack of Microsoft Corp’s Outlook email program, saying a recent software patch still left serious vulnerabilities.

“This is an active threat still developing and we urge network operators to take it very seriously,” a White House official said on Sunday, adding that top US security officials were working to decide what next steps to take following the breach.

US TV network CNN on Sunday separately reported that the Biden administration was forming a task force to address the hack. The White House official, in a statement, said the administration was making “a whole of government response”.

While Microsoft released a patch last week to shore up flaws in its email software, the remedy still leaves open a so-called back door that can allow access to compromised servers and perpetuating further attacks by others.

“We can’t stress enough that patching and mitigation is not remediation if the servers have already been compromised and it is essential that any organisation with a vulnerable server take measures to determine if they were already targeted,” the White House official said.

An unidentified source told the Reuters news agency that more than 20,000 US organisations had been compromised by the hack, which Microsoft has blamed on China.

Asked about Microsoft’s attribution of the attack to China, a Chinese foreign ministry spokesman said on Wednesday that the country “firmly opposes and combats cyberattacks and cyber-theft in all forms” and suggested that blaming a particular nation was a “highly sensitive political issue”.

The Bloomberg news agency, citing a former senior US official with knowledge of the investigation, reported that the attack has so far claimed 60,000 known victims globally.

Back channels

The back channels for remote access can affect credit unions, town governments and small business and have left US officials scrambling to reach victims, with the FBI on Sunday urging them to contact the law enforcement agency.

The European Banking Authority became one of the latest victims as it said that access to personal data through emails held on the Microsoft server may have been compromised.

Others identified so far include banks and electricity providers, as well as senior citizen homes and an ice cream company, according to Huntress, a US-based firm that monitors the security of customers, in a blog post on Friday.

Those affected appear to host Web versions of Microsoft’s email program Outlook on their own machines instead of cloud providers, possibly sparing many big companies and federal government agencies, records from the investigation suggest.

A Microsoft representative on Sunday said it was working with the government and others to help guide customers, and the company urged affected clients to apply software updates as soon as possible.

Neither the company nor the White House has specified the scale of the hack. Microsoft initially said it was limited, but the White House last week expressed concern about the potential for “a large number of victims”.

So far, only a small percentage of infected networks have been compromised through the back door, the source previously told Reuters, but more attacks are expected.

The hacking group, which Microsoft calls Hafnium, appears to have been breaking into private and government computer networks through the company’s popular Exchange email software for a number of months, initially attacking only a small number of victims, according to Steven Adair, the head of US-based Volexity. The cybersecurity company helped Microsoft identify the flaws being used by the hackers for which the software giant issued a fix on Tuesday.

The result is a second cybersecurity crisis coming just months after suspected Russian hackers breached nine federal agencies and at least 100 companies through tampered updates from IT management software maker SolarWinds LLC.

Fragile networks

Both the most recent incident and the SolarWinds attack show the fragility of modern networks and sophistication of state-sponsored hackers to identify hard-to-find vulnerabilities or even create them to conduct espionage. They also involve complex cyberattacks, with an initial blast radius of large numbers of computers which is then narrowed as the attackers focus their efforts, which can take affected organisations weeks or months to resolve.

In the case of the Microsoft bugs, simply applying the company-provided updates will not remove the attackers from a network. A review of affected systems is required, said Charles Carmakal, a senior vice president at FireEye Inc, a US-based cybersecurity company. And the White House emphasised the same thing, including tweets from the National Security Council urging the growing list of victims to carefully comb through their computers for signs of the attackers.

Initially, the hackers appeared to be focusing on high-value intelligence targets in the US, Adair said. About a week ago, everything changed. Other unidentified hacking groups began hitting thousands of victims over a short period, inserting hidden software that could give them access later, he said.

Adair said that other hacking groups may have found the same flaws and began their own attacks – or that China may have wanted to capture as many victims as possible, then sort out which had intelligence value.

Either way, the attacks were so successful – and so rapid – that the hackers appear to have found a way to automate the process. “If you are running an Exchange server, you most likely are a victim,” he said.

Data from other security companies suggest that the scope of the attacks may not end up being quite that bad. Researchers from Huntress examined about 3,000 vulnerable servers on its partners’ networks and found about 350 infections – or just over 10 percent.