Government hackers in China have used a bug in Microsoft’s email server software to target U.S. organizations, the company said Tuesday.
Microsoft MSFT,
said a “highly skilled and sophisticated” state-sponsored group working from China tried to steal information from a number of U.S. targets, including universities, defense contractors, law firms and infectious disease researchers.
Microsoft said it has released security upgrades to address the vulnerabilities in the Exchange Server software, which is used for work email and calendar services, mostly for larger organizations that have their own email servers. It does not affect personal email accounts or Microsoft’s cloud-based services.
The company said the hacking group called Hafnium could mislead Exchange servers into gaining access. The hackers then presented themselves as someone who needed access and created a way to remotely control the server so that they could steal data from an organization’s network.
Microsoft said the group is based in China but operates by leased virtual private servers in the US, which help prevent detection.
The company did not want to name specific targets or say how many organizations are affected.
Reston, Virginia-based corporate cybersecurity firm Volexity, which acknowledges Microsoft was able to detect the intruders, said its network security service began picking up at the end of January.
“They just download emails and literally go to town,” said Steven Adair, president of Volexity. The targets included: “defense contractors, international aid and development organizations, the NGO think tank community.”
Adair said it was concerned that the hackers would speed up their activities in the coming days before organizations could install Microsoft’s security upgrades.
“As bad as it is now, I think it’s going to get worse,” he said. ‘It gives them a limited opportunity to exploit something. The plaster is not going to fix it if they leave their back door behind. ”