Tens of thousands of organizations around the world using the Microsoft Email Exchange Server have been compromised by a cyber campaign suspected to have ties to China. This campaign exploited software vulnerabilities to seize control of systems and steal data, according to researchers.

Security researchers at Volexity first detected the hack in January, according to Microsoft. Volexity has provided a full overview of the technical details on its website. FireEye’s Mandiant also reported evidence that the campaign hit U.S. retailers, local governments, a university and an engineering firm. Cybersecurity blogger Brian Krebs reported at least 30,000 U.S. organizations could be affected, among them being small businesses and municipalities.


In a blog post, Microsoft researchers detailed the recent exploits of a highly skilled and sophisticated threat actor they call Hafnium. The threat actors were able to infiltrate the Microsoft Email Exchange Server software using stolen credentials or zero-day vulnerabilities. They could then create web shells with administrative access, allowing the bad actors to steal data or control systems remotely.

According to Microsoft, the group typically targets U.S. entities, especially infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and other nongovernmental organizations.

Microsoft issued emergency security updates to protect Exchange Server customers. It should be noted that the hack is not related to the recent SolarWinds supply chain attack. Multiple security researchers reported that, after Microsoft issued its patch, hackers seemed to have kicked the hacking campaign into overdrive to access as many unpatched systems as possible.

U.S. Government Response

The Biden administration will reportedly convene a task force to investigate the hack, and the federal Cybersecurity and Infrastructure Security (CISA) issued an alert to help organizations determine whether they may have been compromised.

On Twitter, former CISA head Christopher Krebs called the event a huge hack, adding that the affected parties dwarf the already-high reported numbers. Any organization using Outlook Web Access should check if it has been compromised, according to Krebs.

“[The compromise] is going to disproportionately impact those that can least afford it,” Krebs said in a Tweet. “Incident response teams are burned out, and this is at a really bad time. Few organizations should be running exchange servers these days.”

Hacking the email systems of hundreds of thousands of organizations could lead to not only intellectual property theft, but could also give rise to data breaches, business email compromise attacks, funds transfer fraud and other risks that would trigger insurance policies that cover cyber events. Having built backdoors into countless systems, the malicious actors can also come and go freely unless detected and locked out quickly, making patching and quick remediation essential.

The event comes at a time when federal lawmakers have been advised to quickly streamline the process of sharing threat information between the government, security firms and the private sector. A recent Senate hearing revealed some willingness on the part of lawmakers to move toward mandatory breach reporting with possibly liability protections for breached parties.