Microsoft Exchange Server data breach (2021)
|Date||First breach observed on 3 January 2021|
|Suspected actor||More than ten advanced persistent threat (APT) groups were involved. These include Hafnium, which is alleged by Microsoft to be a Chinese state-sponsored group, Tick (also known as Bronze Butler), LuckyMouse (also known as APT27 and Emissary Panda), Calypso, the Winnti Group (also known as BARIUM and APT41), Tonto Team (also known as CactusPete), Mikroceen (also known as Vicious Panda), Websiic, DLTMiner, and at least one previously unknown group. With the exception of DLTMiner, which has been linked to crypto-mining, the APT groups have all been linked to cyber espionage.
On 19 July 2021, the US, joined by several other Western States, NATO and the European Union, stated that it attributed the cyber operations ‘with a high degree of confidence’ to malicious cyber actors affiliated with China’s Ministry of State Security.
China has repeatedly denied any involvement.
|Target||Between tens of thousands to more than 250,000 victims worldwide, particularly small businesses and governments, as of 6 March 2021. Prominent targets have included the European Banking Authority, the Norwegian Parliament, and Chile’s Commission for the Financial Market. The Taiwanese multinational corporation Acer was also targeted.|
|Target systems||On-premises Microsoft Exchange servers|
|Method||Four zero-day exploits of vulnerabilities in Microsoft Exchange were utilised to gain initial access to servers, after which web shell backdoors, such as China Chopper, were deployed in order to preserve long-term access to the compromised servers. At least one web shell had the capability to run commands and upload, delete, and view files. Post-compromise tools such as Covenant, Nishang and PowerCat were deployed, enabling remote access.
In some cases, the ransomware known as DearCry was subsequently installed on vulnerable on-premises Microsoft Exchange servers. The REvil ransomware was also deployed on other vulnerable systems, as was the Black KingDom ransomware.
A leading theory, proposed by investigators from Microsoft and from the US government, suggests that “[t]he suspected Chinese hackers mined troves of personal information acquired beforehand to carry out the attack.”
It has also been theorised by cybersecurity firm SentinelOne that the large number of threat actors involved is explicable by the provision by a Chinese entity of the exploits to multiple hacking groups.
|Purpose||Data exfiltration, crypto-mining, and ransom-seeking|
|Result||Web shells were installed on more than 5,000 unique servers in over 115 countries. The effects on various targeted entities have been quite diverse. For example, the European Banking Authority’s servers were compromised, but because it precautionarily took its email systems offline, no data was exfiltrated from its systems. In contrast, data was exfiltrated from the Norwegian Parliament, although the full extent of damage is unknown. Even though it had been “affected” by the incident, the Chilean financial regulator, the Commission for the Financial Market, did not find the presence of any ransomware.|
|Aftermath||The US Federal Bureau of Investigation, the Australian Cyber Security Centre and the UK National Cyber Security Centre each coordinated national responses against the exploits.
Microsoft patched the vulnerabilities and the Microsoft Defender antivirus was updated to automatically mitigate them. However, these patches and mitigations do not remove existing infections, such as web shells and backdoors that have already been installed.
Microsoft Defender was also updated to detect and remove the DearCry ransomware.
|Analysed in||Scenario 02: Cyber espionage against government departments|
Collected by: Darryl Chan
- Josh Grunzweig, Matthew Meltzer, Sean Koessel, Steven Adair, Thomas Lancaster, ‘Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities’, Volexity (08 March 2021)
- ‘Number of APT groups exploiting the latest Exchange vulnerabilities grows, with thousands of email servers under siege, ESET discovers’, ESET (10 March 2021)
- Tom Burt, ‘New nation-state cyberattacks’, Microsoft (02 March 2021)
- Matthieu Faou, Mathieu Tartare, Thomas Dupuy, ‘Exchange servers under siege from at least 10 APT groups’, ESET (10 March 2021)
- Sergiu Gatlan, ‘More hacking groups join Microsoft Exchange attack frenzy’, Bleeping Computer (10 March 2021)
- United States, ‘The United States, Joined by Allies and Partners, Attributes Malicious Cyber Activity and Irresponsible State Behavior to the People’s Republic of China’ (19 July 2021).
- ‘Foreign Ministry Spokesperson Wang Wenbin's Regular Press Conference on March 3, 2021‘, Ministry of Foreign Affairs of the People’s Republic of China’ (3 March 2021); Eric Tucker, ‘Microsoft Exchange hack caused by China, US and allies say’ AP News (20 July 2021) (reporting a statement by a spokesperson for the Chinese Embassy in Washington, Liu Pengyu, that the ‘U.S. has repeatedly made groundless attacks and malicious smear against China on cybersecurity. Now this is just another old trick, with nothing new in it.’).
- Robert McMillan, Dustin Volz, ‘China-Linked Hack Hits Tens of Thousands of U.S. Microsoft Customers’, Wall Street Journal (06 March 2021)
- ‘Cyber-attack on the European Banking Authority’, European Banking Authority (07 March 2021)
- ‘New cyberattack on the Storting’, Stortinget (11 March 2021)
- 'CMF informa sobre incidente de ciberseguridad', Comisión para el Mercado Financiero (14 March 2021)
- Lawrence Abrams, ‘Computer giant Acer hit by $50 million ransomware attack’, Bleeping Computer (19 March 2021)
- Charlie Osborne, ‘Hafnium’s China Chopper: a ‘slick’ and tiny web shell for creating server backdoors’, ZDNet (15 March 2021)
- ‘HAFNIUM targeting Exchange Servers with 0-day exploits’, Microsoft (16 March 2021)
- Matt Bromiley, Chris DiGiamo, Andrew Thompson, Robert Wallace, ‘Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities’, FireEye (04 March 2021)
- Charlie Osborne, ‘Microsoft Exchange zero-day vulnerabilities exploited in attacks against US local governments’, ZDNet (05 March 2021)
- Sabina Weston, ‘Microsoft warns of ransomware attacks as Exchange hack escalates’, ITPro (12 March 2021)
- Mark Loman, ‘Black Kingdom ransomware begins appearing on Exchange servers’, Sophos (23 March 2021)
- Rajesh Nataraj, ‘New Lemon Duck variants exploiting Microsoft Exchange Server’, Sophos (07 May 2021)
- Dan Kobialka, ‘Hackers Use Prometei Botnet to Attack Microsoft Exchange Users’, MSSP Alert (22 April 2021)
- Dustin Volz, Robert McMillan, ‘Suspected China Hack of Microsoft Shows Signs of Prior Reconnaissance’, Wall Street Journal (07 April 2021)
- Dan Goodin, ‘There’s a vexing mystery surrounding the 0-day attacks on Exchange servers’, Ars Technica (11 March 2021)
- Charlie Osborne, ‘Lemon Duck hacking group adopts Microsoft Exchange Server vulnerabilities in new attacks’, ZDNet (10 May 2021)
- ‘European Banking Authority hit by Microsoft Exchange hack’, BBC News (08 March 2021)
- ‘Cyber-attack on the European Banking Authority – UPDATE 3’, European Banking Authority (09 March 2021)
- 'CMF actualiza información sobre incidente de ciberseguridad', Comisión para el Mercado Financiero (15 March 2021)
- Michael Novinson, ‘REvil Ransomware Targets Acer’s Microsoft Exchange Server: Source’, CRN (19 March 2021)
- Charlie Osborne, ‘Everything you need to know about the Microsoft Exchange Server hack’, ZDNet (19 April 2021)
- MSRC Team, ‘One-Click Microsoft Exchange On-Premises Mitigation Tool – March 2021’, Microsoft Security Response Center (15 March 2021)
- Microsoft 365 Defender Team, ‘Automatic on-premises Exchange Server mitigation now in Microsoft Defender Antivirus’, Microsoft (18 March 2021).
- Charlie Osborne, ‘Microsoft: 92% of vulnerable Exchange servers are now patched, mitigated’, MSN (24 March 2021)