While President Joe Biden contemplates retaliating against the Russian hackers whose attack on another software company, SolarWinds, became public in December, the Hafnium hack has become an enormous free-for-all, and its consequences could be even worse. As experts sprint to close the holes opened up by the Chinese hacking, officials say the American government is focused closely on what happens next to thousands of newly vulnerable servers—and how to respond to China.
“The gates are wide open to any bad actor that wants to do anything to your Exchange server and the rest of your network,” says Sean Koessel, vice president at Volexity, the cybersecurity firm that helped discover the hacking activity. “The best case is espionage—somebody who just wants to steal your data. The worst case is ransomware getting in and deploying it across the entire network.”
The distinction between the two attacks is not just about technical details, or even which country committed them. Although 18,000 companies downloaded the compromised SolarWinds software, the number of genuine targets was just a fraction that size. Hafnium, meanwhile, was far more indiscriminate.
“Both started out as espionage campaigns, but the difference really is how they were conducted,” says Dmitri Alperovitch, chairman at the Silverado Policy Accelerator and cofounder of security firm CrowdStrike. “The Russian SolarWinds campaign was very carefully done, where the Russians went after the targets they cared about and they shut down access everywhere else, so that neither they nor anyone else could get into those targets that were not of interest.”
“Contrast that with the Chinese campaign,” he says.
“On February 27, they realize the patch is going to come out, and they literally scan the world to compromise everyone. They left web shells that can now enable others to get into those networks, potentially even ransomware actors. That’s why it’s highly reckless, dangerous, and needs to be responded to.”
Exploitation en masse
The beginning of the Hafnium campaign was “very under the radar,” says Koessel.
The hacking was missed by most security checks: it was only spotted when Volexity noticed strange and specific internet traffic requests to the company’s customers who were running their own Microsoft Exchange email servers.
A month-long investigation showed that four rare zero-day exploits were being used to steal entire mailboxes—potentially devastating for the individuals and companies involved, but at this point there were few victims, and the damage was relatively limited. Volexity worked with Microsoft for weeks to fix the vulnerabilities, but Koessel says he saw a major change at the end of February. Not only did the number of victims start to rise, but there was also an increase in the number of hacking groups.
It’s not clear how multiple government hacking groups became aware of the zero-day vulnerabilities before Microsoft made any public announcement. So why did the extent of the exploitation explode? Perhaps, some suggest, the hackers may have realized their time was almost up. If they did know a patch was coming, how did they find out?
“I think it is very uncommon to see so many different [advanced hacking] groups having access to the exploit for a vulnerability while the details are not public,” says Matthieu Faou, who leads research into the Exchange hacks for ESET. “There are two major possibilities,” he says. Either “the details of the vulnerabilities were somehow leaked to the threat actors,” or another vulnerability research team working for the threat actors “independently discovered the same set of vulnerabilities.”