Skip to navigation Skip to main content Skip to footer

Microsoft Exchange: analysing the geopolitics

20 July 2021

Earlier this year, a major cyber-attack targeted Microsoft Exchange servers, affecting an estimate of 30,000 organisations around the world and enabling large-scale espionage against a range of targets.

This week, the UK, US and EU have all accused China of carrying out the attack, indicating that China’s tactics have evolved to include ‘smash-and-grab’ raids by sharing information about the Exchange vulnerabilities and recruiting contract hackers.

In this article, Christo Butcher, global lead for threat intelligence at NCC Group, outlines the motivations behind the attack and analyses the significance of the UK, US and EU’s public accusation.

“Early evidence of this attack can be traced back to January of this year, highlighting the methods employed by Hafnium, the first threat actor shown to have exploited the Exchange vulnerabilities. These initial attacks can be broken down into two parts. Firstly, the attacker would target the server to read the victim's emails, before seeking to install implants and webshells onto a target network to potentially gain remote access.”

“However, from the end of February, we saw a frenzy of indiscriminate attacks from a wider range of threat actors hoping to exploit these vulnerabilities. That shift in activity is in line with the recent UK, US and EU allegations of China sharing information on the Exchange vulnerabilities and recruiting contract hackers.”

“Although many organisations will have patched the vulnerability by now, the escalating tactics that the UK, EU and US have accused China of using as part of the attack should serve as a useful reminder to implement strong cyber hygiene across their organisation. This includes installing the latest updates from Microsoft and other suppliers as soon as possible, as well as investigating systems for any indicators of compromise such as webshells, suspicious files and new scripts. If any indicators of compromise are identified within a system, the next step is to begin the incident response process and take steps to secure any affected machines.”

“The UK, US and EU’s announcement will increase the pressure on China within the geopolitical landscape by bringing the discussion into the public and political domains. It is also significant that the Western authorities have explicitly noted China’ use of contract hackers to carry out state-level attacks. This shift includes those contract hackers exploiting vulnerabilities for personal and financial gain as well as state-level benefits. It also highlights the increasingly blurred line between state and other threat actors, as well as between their respective motivations. Given that evolving threat landscape, organisations should maintain a comprehensive security posture that is not limited to a narrow type of threat.”

ENDS