Microsoft has already attributed the broad-scale compromise of its on-premises mail servers to Chinese nation-state actors.
The White House will soon officially assign responsibility for an extensive attack on Microsoft Exchange servers and decide on next steps, according to a top cybersecurity official.
“I think you saw the National Security Advisor Jake Sullivan say that we will attribute that activity,” Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger said Tuesday. More on the decision and follow-on action will be announced “in the coming weeks.”
Neuberger was speaking with Dmitri Alperovitch, executive chairman of Silverado Policy Accelerator and co-founder and former chief technology officer of the security firm CrowdStrike.
After noting President Joe Biden’s actions against Russia in response to the SolarWinds hack, Alperovich asked what was being done to address the Microsoft Exchange hackers. Microsoft already attributed the attack on its servers to a group it called HAFNIUM and described as Chinese state-sponsored actors.
The Microsoft Exchange hackers exploited four vulnerabilities in the software but ensnared tens of thousands of organizations across the country, including government agencies.
Neuberger said the administration’s response unit—the Unified Coordination Group—pressed Microsoft to help victims remediate the situation.
“Companies and small governments ... government agencies were struggling to patch because in order to do the most recent patch you have to have patched every prior patch and there were many,” she said. “We said ‘you've got to make this easier,’ and Microsoft jumped on it and released a one-click tool and we literally saw the number of vulnerable servers jump from 140,000 to less than 10 in a week.”
Neuberger said the Microsoft Exchange hack demonstrates how vulnerabilities in hardware and software are “one of the root causes of cybersecurity issues,” adding Executive Order 14028 will reshape federal procurement policy for critical software.
“We require that the companies do independent or automated third-party assessments and make the results available,” she said. “The reason we did that was to say, 'look, we're not interested in looking at the specific vulnerabilities, but if one product has 10 critical vulnerabilities and a competing product has six, first you start creating an incentive for companies to address it, but second, you give an ability for a purchaser to ask questions and really press for improvements in products.’”
She also said the administration will need to continue expanding on the provisions included in the executive order.
Editor's note: This article was amended to clarify Dmitri Alperovitch's title.