The Daily Beast
How China’s Destructive Microsoft Hack Endangers Us All
Michael Borgers / Getty By Matthew Brazil During World War II, the Chinese Communists cultivated opium in their base area and traded it in cities occupied by Japan. Mao Zedong’s manager was one of the greatest master spies of the period, Li Kenong. Although Mao later regretted cultivating the ‘special product’, which he called ‘that certain thing’, the drug led to disruption in the back of the enemy and benefited the economy in the Red Zone. It seems to be applying the same strategy in the Western backyard. , which are disrupting online systems and at the same time benefiting the Chinese economy through viruses and worms used to steal information from computer systems worldwide. The last simultaneous exploitation against thousands of organizations, announced on March 2, was called the Microsoft Exchange hack, which uses servers that manage email systems. The hijackers can read offenders messages from selected targets and then venture deeper into infected networks. More than 60,000 organizations in the U.S. and at least 280,000 users worldwide who use Microsoft Exchange for their email were hacked between February 26 and March 3, according to Chris Krebs. , the former director of the Cybersecurity and Infrastructure Security Agency. The organizations include defense contractors, universities, state and local governments, think tanks, infectious disease researchers and businesses: all who prefer to use Microsoft Exchange for their email service. This is the right thing to do. If your organization runs an OWA server exposed to the Internet, accept a compromise between 02 / 26-03 / 03. Look for 8 character aspx files in C: \ inetpub wwwroot aspnet_client system_web . If you get a hit on the search, you are now in a response mode. https://t.co/865Q8cc1Rm— Chris Krebs (@C_C_Krebs) March 5, 2021 The unidentified organization behind the hack, considered by Microsoft to be a Chinese state-backed entity, is known by the code name HAFNIUM. The hack allowed unauthorized access to complete email systems and tracked access to linked databases that store classified information, trade secrets, the wide range of other proprietary information and personally identifiable information such as names, addresses, social security numbers, and so on. This is useful for identity theft. HAFNIUM is named after a chemical element that was discovered in 1923 and has not yet been clearly identified to the point where it would get a cryptonym like “TURBINE PANDA” – the name given to cyber espionage. activities at the infamous Jiangsu State Security Bureau. TURBINE PANDA is linked to the 2014 OPM cap, another massive data breach, and to the case of Yanjun Xu, the state security officer extradited from Belgium to the US for attempted theft of GE advanced jet engine bad actors in China and beyond, whether working on behalf of intelligence services or criminal organizations, quickly HAFNIUM ‘evidence of concept exploitation,’ ie to show that they can use vulnerability to dig into a target system by performing benign tasks , such as opening the calculator or moving the cursor. From there, it’s a short step to exploit the exploitation with malware. According to an industry source, several other Chinese burglary groups may have used the same zero-day vulnerabilities as HAFNIUM. Nine days after it was discovered, criminal organizations outside China have been using ransomware faster than in previous cases that exploits the vulnerability, which will further challenge cyber-security detectives in their efforts to assign the attacks to specific entities. The Biden administration issued a public warning on March 12 that organizations have “hours, not days” to update exposed servers with software patches already issued by Microsoft. Ordinary users may have noticed two lengthy updates from Microsoft over the past week that are meant to eliminate vulnerabilities. According to Microsoft, HAFNIUM has identified itself as a Chinese state-backed actor, indicating that Beijing’s security services, most likely the Ministry of State Security (MSS), are continuing. to pursue the big harvest of data like the 2017 APT 3 mining, attributed to the Guangdong State Security Bureau. It’s no surprise that China’s multiple, malicious HAFNIUM operation against Microsoft Exchange servers is somewhat similar to the SolarWinds attack. from Russia. Both rely on the widespread use of a targeted system, namely Solar Winds and Microsoft Exchange, as the vector to achieve the real goal: the tens of thousands of users who have sensitive information, such as US defense production data, design of weapons systems, trade secrets that are useful for China’s latest five – year plan, and the emails of Beijing’s political enemies, which are taken into account. These intelligence objectives are reminiscent of the targets of Russian and Chinese communist intelligence agencies over the past century. From the late 1920s to the late 1950s, the spy services of Russia and communist China shared selected information about their common enemies: Japan and Germany in World War II, the US, and its allies in the early Cold War. It remains to be seen whether evidence emerges from the current cooperation between Moscow and Beijing, whose relations have gradually improved since the collapse of the Soviet Union in 1991, to investigate and carry out cyber attacks. Although it is a troublesome link, evidence emerged on March 8 that hackers from China were targeting SolarWinds customers in an operation that was different from the Russian attacks associated with it. These approaches highlight how large-scale exploitation of computer networks in the 21st century has reformed the collection of technical intelligence. and not just among the superpowers. During the Cold War, the necessary signal intelligence operations required the resources of an advanced industrial state. The advantage of performing massive, devastating hacks now belongs to the player, big or small, who has the best software developers. The new battlefield, with its potential for attacks on power networks, hospitals and sensitive facilities such as nuclear power stations, places the entire population. Although individual users may feel helpless in this scenario of the black mirror, they have some easy solutions that everyone, technically or not, can use. The first step is to enable two-factor authentication during the launch of applications. possible. This makes it difficult for a third party to hack into your account if they have managed to steal your password. Second, and the most common and yet commonly ignored advice: Never click on links in email unless you are sure it is legal. This is how opponents have repeatedly gained access to Pentagon computers. Do not. Click on. Unless you want to end up like Hillary Clinton’s campaign president John Podesta, hacked with your emails and shared with the world. Third, users exchanging sensitive information must use a virtual private network (VPN) to hide their traffic. Why not disguise every test attempt and search on the internet with prying eyes? Fourth, never delay software updates. Internationally, there is a large market not only for zero-day vulnerabilities, but also for one-day (publicly known and patched) vulnerabilities. Why? A high percentage of users skip updates, leaving themselves open to known benefits already shared worldwide on Github, the open, cloud-based software sharing service. Once an exploit is posted on Github, anyone can use it. Criminals then run off fruit that hangs low, including the large number of people who do not care about software updates and patches. This includes especially those who use pirate software. Previously, a cheap alternative, pirate software was the Typhoid Maria of the digital space. Do you need motivation to do the right things? Watch This Is How They Tell Me the World Ends, a narrow exposition of the global cyber market driven in part by U.S. taxpayers. China is definitely watching. Published with SpyTalk, where Jeff Stein leads an everyday team of veteran investigative reporters, writers and experts on the subject who will take you behind the scenes of the national security state. Sign up to get full access to the newsletter and website. Read more at The Daily Beast. Get our top stories in your inbox every day. Sign up now! Daily membership of the beast: Beast Inside goes deeper into the stories that matter to you. Learn more.