The government got a judge to authorize the effort to remove malicious code from the Exchange Server hack.
Early this year, a group of hackers associated with the Chinese government, known as Hafnium, exploited a vulnerability in Microsoft’s Exchange Server. The attack allowed them to gain access to over 60,000 servers, including those of major corporations and banks.
This attack is separate from the SolarWinds hack that affected thousands of customers last year through a backdoor vulnerability in the company’s software. In that case, a Russian group was able to piggyback on SolarWinds’ software, which–when installed via an update on client networks–allowed the hackers to deploy malicious code. In that case, Microsoft worked with Fire Eye to cut off the attack by sink-holing the domain used to receive further instructions.
This attack was different, in that it took advantage of a known security flaw that affected on-premises exchange servers. Known as a zero-day attack, hackers were able to exploit the vulnerability without any interaction from the user, and without them knowing that malicious code had been placed on the server. The breach was so widespread that the Biden administration called for a “whole of government response.”
It appears Microsoft was first notified of the problem in January, but did not release a patch until March. That was also the first time the issue was acknowledged publicly. During that time, hackers had access to sensitive information at thousands of companies, government agencies, and other organizations.
Since then, many were able to patch the flaw and remove malicious code, known as web shells. Some users, however, had yet to mitigate the attack. Even if they had installed the patch, the government said that a few hundred organizations had not removed the web shells from infected servers.