In March, tens of thousands of organisations around the world discovered their private internal discussions had been cracked open and lain bare by a group of Chinese hackers.
Four previously undiscovered weaknesses in Microsoft’s Exchange software, known as “zero days” because of the amount of time the company had had to fix the flaws before they were exploited, lay behind the mass hack. The vulnerabilities, which affected software released from 2012 onwards, allowed the group to take permanent control of the corporate servers, siphoning emails, calendars, and anything else they desired.
Even fully updated systems were vulnerable, until Microsoft released emergency updates to fix the holes on 2 March, just three days before the hacking campaign was publicly disclosed by security journalist Brian Krebs.
The mass hack started on 28 February, with thousands of companies falling victim every hour before it was even possible for them to defend against it. Many more were hit in the days following Microsoft’s deployment of an emergency fix, since companies are often wary about installing security updates the same day they are published in case critical functionality breaks.
The campaign was quickly identified as a potential espionage mission, due to the nature of the information at risk: Microsoft’s Exchange software handles all communications at companies that use it, allowing attackers to potentially seize usernames and passwords, confidential information, intellectual property, blackmail material and more.
Initially, the attack was attributed to a group known as “Hafnium”, thought by security researchers to be affiliated with the Chinese state. But that early attribution was not sufficient for the UK and its allies to publicly state that the Chinese government lay behind the attack. After months of investigation, the UK’s National Cyber Security Centre has now declared it “highly likely that Hafnium is associated with the Chinese state.”