CISA, FBI Link Exploitation of Microsoft Exchange to Nation-State Actors

Federal agencies responding to a surge of intrusions following Microsoft’s release of patches to address vulnerabilities in on-premise Microsoft Exchange products say hackers racing to exploit the weaknesses before they’re fixed include nation-state actors.

“The FBI and [the Cybersecurity and Infrastructure Security Agency] assess that nation-state actors and cyber criminals are likely among those exploiting these vulnerabilities,” the agencies said in a joint advisory Wednesday. 

Microsoft, in a March 2 blog post releasing the patches, previously attributed the threat activity to a group it called Hafnium, which the company believes is connected to the Chinese government. Wednesday’s advisory identified targets the hackers are focused on as characteristic of Chinese cyber actors.

“Threat actors have targeted local governments, academic institutions, non-governmental organizations, and business entities in multiple industry sectors, including agriculture, biotechnology, aerospace, defense, legal services, power utilities, and pharmaceutical,” the advisory reads. “This targeting is consistent with previous targeting activity by Chinese cyber actors. Illicitly obtained business information, advanced technology, and research data may undermine business operations and research development of many U.S. companies and institutions.”

CISA officials told lawmakers Wednesday that no federal agencies are so far known to be compromised through the Microsoft Exchange vulnerabilities. But the advisory noted the federal enterprise is still in danger from the persistent threat that is likely to grow in both scale and severity.     

“The exploitation of Microsoft Exchange on-premises products poses a serious risk to Federal Civilian Executive Branch agencies and private companies. Successful exploitation of these vulnerabilities allows an attacker to access victims’ Exchange Servers, enabling them to gain persistent system access and control of an enterprise network,” the agencies said. “FBI and CISA assess that adversaries will continue to exploit this vulnerability to compromise networks and steal information, encrypt data for ransom, or even execute a destructive attack. Adversaries may also sell access to compromised networks on the dark web.”

One indication of the hackers’ level of access came from security researchers at ESET. The group shared a post Wednesday noting that several advanced persistent threat actors—including "Lucky Mouse," which also goes by the moniker "Emissary Panda"—were exploiting the Exchange vulnerabilities even before Microsoft released its patches. 

“On 2021-02-28, we noticed that the vulnerabilities were used by other threat actors, starting with Tick and quickly joined by LuckyMouse, Calypso and the Winnti Group,” ESET wrote. “This suggests that multiple threat actors gained access to the details of the vulnerabilities before the release of the patch, which means we can discard the possibility that they built an exploit by reverse engineering Microsoft updates.”

ESET said most of the threat groups they identified were interested in espionage, but there was also one—"DLTMiner"—which is linked to crypto mining activities more typical of criminal groups.