Chinese and Russian hackers now have unprecedented access to American corporate emails after staging massive cyberattacks. Here's what they're actually doing with it.

  • Two sweeping cybersecurity attacks have targeted widely used Microsoft email systems.
  • Experts say Chinese and Russian hackers broke into US organizations’ emails, but in different ways.
  • The Microsoft Exchange hack sparked a criminal frenzy, while SolarWinds represented stealthy spy fare.
  • See more stories on Insider’s business page.

Chinese hackers opened up the gates to marauding thieves. Russian hackers are patiently setting up for a long, stealthy spy campaign. The hackers have one thing in common: They’re both in American companies’ emails. 

The Microsoft Exchange and SolarWinds hacks are often mentioned in the same breath, often because they are both sprawling attacks affecting thousands of organizations – and came to light within a few months of each other. 

The attacks are very different. The SolarWinds attack, widely attributed to Russian government hackers, was a patient and crafted attack intended to gather intelligence for years. The Microsoft Exchange attack, widely attributed to a Chinese government hacker group called Hafnium, was much more sudden, and haphazardly spread to different criminal groups. 

Both, however, have landed upon Microsoft’s email software, both on traditional servers and as part of the Office 365 cloud, as a major target. Because Microsoft email is used by so many organizations, millions of people around the world may be impacted by both attacks, and for a long time, experts say. 

What the Microsoft Exchange hackers are doing with emails

The Chinese-led hack of Microsoft’s Exchange server software is a noisy invasion of marauding bandits. The hack, believed to be linked to Chinese nation-state hackers, relied on exploiting a previously-unknown vulnerability in Exchange Server, the flagship Microsoft software for powering corporate and business email servers.

That exploit was subsequently put into use by multiple criminal groups almost immediately, taking advantage of Microsoft customers who haven’t yet installed a crucial patch to their Exchange email servers.

Ryan Sherstobitoff, vice president of research at SecurityScorecard, says millions of emails could be stolen for corporate secrets, with phishing campaigns and other email-related crimes to follow. Tens of thousands of customer Exchange email servers are technically still vulnerable to the exploit, but attackers are only actually taking advantage of the opening in far fewer, the researcher says.

Sherstobitoff says his company has tracked hundreds of companies where “the attackers had the ability to get into the email, to dump them, read them, steal them, and then use them in subsequent attacks like spear-phishing.”

The spear-phishing – targeted attacks where hackers try to trick certain users into clicking on malicious links or downloading tainted attachments – could be especially dangerous right now, he said, because remote workers are accessing email from less secure environments (like their own homes).

The company RiskIQ, which scans systems for cybersecurity threats, found that over 800 enterprises are now fending off active attacks related to the Microsoft Exchange attacks, including 227 banks, 239 healthcare organizations, 69 pharmaceutical firms, and 93 government agencies. 

Tushar Richabadas of Barracuda Networks said his research into the hackers suggests “phishing and intelligence-gathering are definitely things they want to do, and it could also be that they want to get further into the network” of companies. 

Richabadas told Insider his company still sees multiple “groups trying to get in on the action,” and he suspects that will slow down soon. But that doesn’t mean we’ve seen the full extent of the damage, just yet.

“You’re going to see a long tail of this happening for a while. There are a lot of smaller organizations which don’t keep up-to-date with patches,” Richabadas said.

Microsoft released a one-click fix to the issue Monday for Exchange Server customers, and offers further guidance here. “We remain committed to supporting our customers against these attacks,” a Microsoft spokesperson said in a statement. 

What the SolarWinds hackers are doing with emails

Compared to the Microsoft Exchange server outlaws, the SolarWinds hackers are quiet as a mouse while they read your emails – which they are planning to do for a long time.

While the SolarWinds attacks didn’t directly compromise the underlying security of Microsoft’s cloud services, the hackers were able to exploit two-factor authentication software that led to broad access to Office 365 corporate inboxes across America.  

New research from the company that discovered the SolarWinds attacks shows the hackers are still active, still gathering intelligence businesses and government agencies, and still planning to stay for a while. Now they’re using a crafty new technique, researchers say. 

Mandiant, the research arm of the cybersecurity company FireEye, released new research Thursday showing the SolarWinds hackers have been changing settings in organizations’ Microsoft email systems to allow ongoing espionage, a tactic they hadn’t used previously. 

That’s a bit of a surprise because there has been an enormous amount of media coverage and US government attention around the attacks, and some experts thought the hackers would pull back or at least lay low for a while. 

“At first blush I was a little bit surprised,” says Doug Bienstock, an incident response manager at Mandiant. “But it makes sense to me to see them pivot to a technique that they weren’t previously using because it’s something that wasn’t discussed publicly.”

The hackers have been busy, tampering with email settings in a particularly sly way. In government and industry organizations, Mandiant researchers have noted the hackers changing the email permissions of certain key users. The changes would allow any signed-in user of that organization to read the targeted user’s email in the future. This change could then be exploited in an ongoing way by hackers signed in to any hacked account within that organization. 

The tactic is stealthy, like many aspects of SolarWinds, which hid from companies for years. Signing in as an administrator, or accessing new permissions in the future could raise suspicion, but using average users’ accounts most likely would not. Corporate espionage could then be carried out from a number of different accounts without setting off cybersecurity alarms.   

This new tactic continues the espionage efforts that researchers have cited before, as opposed to engaging in cybercrime. “Everything that this threat actor has done, or at least that we’ve been able to see them do, is related to access information, Bienstock said. 

Organizations can address SolarWinds issues with that company’s software patches, or this email tactic with a FireEye tool. 

Signup Today: Free Chart of the Day Newsletter from Insider Intelligence

Source: Read Full Article