A Chinese government-linked hacking campaign revealed by Microsoft this week has ramped up rapidly. At least four other distinct hacking groups are now attacking critical flaws in Microsoft’s email software in a cyber campaign the US government describes as “widespread domestic and international exploitation” with the potential to impact hundreds of thousands of victims worldwide.
Beginning in January 2021, Chinese hackers known as Hafnium began exploiting vulnerabilities in Microsoft Exchange servers. But since the company publicly revealed the campaign on Tuesday, four more groups have joined in and the original Chinese hackers have dropped the pretense of stealth and increased the number of attacks they’re carrying out. The growing list of victims includes tens of thousands of US businesses and government offices targeted by the new groups.
“There are at least five different clusters of activity that appear to be exploiting the vulnerabilities,” says Katie Nickels, who leads an intelligence team at the cybersecurity firm Red Canary that is investigating the hacks. When tracking cyberthreats, intelligence analysts group clusters of hacking activity by the specific techniques, tactics, procedures, machines, people, and other characteristics they observe. It’s a way to track the hacking threats they face.
Hafnium is a sophisticated Chinese hacking group that has long run cyberespionage campaigns against the United States, according to Microsoft. They are an apex predator—exactly the sort that is always followed closely by opportunistic and smart scavengers.
Activity quickly kicked into higher gear once Microsoft made their announcement on Tuesday. But exactly who these hacking groups are, what they want, and how they’re accessing these servers remain unclear. It’s possible that the original Hafnium group sold or shared their exploit code or that other hackers reverse engineered the exploits based on the fixes that Microsoft released, Nickels explains.
“The challenge is that this is all so murky and there is so much overlap,” Nickels explains. “What we’ve seen is that from when Microsoft published about Hafnium, it’s expanded beyond just Hafnium. We’ve seen activity that looks different from tactics, techniques, and procedures from what they reported on.”