Microsoft hack: Biden launches emergency taskforce to address cyber-attack | US news | The Guardian

Microsoft hack: Biden launches emergency taskforce to address cyber-attack
The ‘unusually aggressive’ attack allowed hackers to access email accounts of at least 30,000 organizations in the US

An aggressive cyber-attack has affected hundreds of thousands of Microsoft customers around the world.
An aggressive cyber-attack has affected hundreds of thousands of Microsoft customers around the world. Photograph: Lucy Nicholson/Reuters
Kari Paul
Mon 8 Mar 2021 23.11 GMT

103
The Biden administration is launching an emergency taskforce to address an aggressive cyber-attack that has affected hundreds of thousands of Microsoft customers around the world – the second major hacking campaign to hit the US since the election.

The attack, first reported by security researcher Brian Krebs on 5 March, allowed hackers to access the email accounts of at least 30,000 organizations in the US.

These back channels for remote access can affect credit unions, town governments and small business, and have left US officials scrambling to reach victims, with the FBI on Sunday urging them to contact the law enforcement agency.

The “unusually aggressive” attack infiltrated accounts using tools that give the attackers “total, remote control over affected systems”, cybersecurity experts briefed on the topic told Krebs.


SolarWinds hack was work of 'at least 1,000 engineers', tech executives tell Senate
Read more
On Saturday the Cybersecurity and Infrastructure Security Agency (Cisa) encouraged all organizations using Microsoft Exchange to scan devices for vulnerabilities. The breach represents “a significant vulnerability that could have far-reaching impacts”, the White House press secretary, Jen Psaki, said in a press briefing on Friday.

Advertisement

“First and foremost, this is an active threat,” she said. “We are concerned that there are a large number of victims and are working with our partners to understand the scope of this.”

The latest hack comes on the heels of SolarWinds, a separate series of sophisticated attacks attributed to Russia that breached about 100 US companies and nine federal agencies.

Microsoft said it has seen “no evidence that the actor behind SolarWinds discovered or exploited any vulnerability in Microsoft products and services”.

Researchers say the recent hack began as a controlled attack on a few large targets starting in late 2020 and was detected in early January as it developed into a more widespread campaign. Additional attacks are expected from other hackers as the code used to take control of the mail servers spreads.

The Biden administration has launched a multi-agency effort initiated by the national security council, that includes the FBI, Cisa and others, the US official said, to determine who has been hacked, what has been done, and how to quickly patch the vulnerabilities.

Microsoft first issued patches for the attack on Tuesday, but fixing the issue will be more complicated as these patches do not undo the damaged already caused, said Oliver Tavakoli, the chief technology officer at California-based security firm Vectra.

“Patching their Exchange servers will prevent an attack if their Exchange server has not already been compromised,” Tavakoli said. “But it will not undo the foothold attackers have on an already compromised Exchange server.”

The European Banking Authority, the European Union’s banking regulator, which gathers and stores swaths of sensitive data about banks and their lending, confirmed on Monday it had been affected. It said it believed the cyber-attack had struck only its email servers and that no data had been obtained. Psaki declined to answer in this weekend’s press conference whether any large US government bodies were affected by the breach, and other targets have not yet been named.

A person working with the US response told Reuters that the attack had been blamed on a Chinese government-backed actor. Microsoft has also attributed the attack to China. A Chinese government spokesman said the country was not behind the intrusions, according to Reuters.

The latest hack comes on the heels of SolarWinds, a separate series of sophisticated attacks attributed to Russia that breached about 100 US companies and nine federal agencies.

“We continue to see no evidence that the actor behind SolarWinds discovered or exploited any vulnerability in Microsoft products and services,” the company said.

A Microsoft spokesman said in a statement the company is working closely with Cisa, other government agencies and security companies to respond to the hack.

“The best protection is to apply updates as soon as possible across all impacted systems. We continue to help customers by providing additional investigation and mitigation guidance,” he said. “Impacted customers should contact our support teams for additional help and resources.”

The most recent Microsoft hack, which one former national security official briefed on the matter called “absolutely massive” in an interview with Wired, may end up being larger than the historically large SolarWinds attack that prompted a congressional hearing this month.

At that hearing, tech executives including Microsoft’s president, Brad Smith, said hacks like these were difficult to address as many organizations do not publicly announce breaches until long after they are discovered.

Meanwhile, handling this hack so close to the recent SolarWinds attacks will be difficult for US agencies, said Tavakoli.

“This hack will compete for the same investigative and remediation resources, so having two such broad attacks occur near the same time places exorbitant strain on the resources,” he said.