FireEye CEO: Reckless Microsoft Hack Unusual for China
FireEye CEO: Reckless Microsoft Hack Unusual for China

By The Associated Press

RESTON, VA. — Cyber sleuths have already blamed China for a hack that exposed tens of thousands of servers running Microsoft’s Exchange email program to potential hacks. The CEO of a prominent cybersecurity firm says it now seems clear China also unleashed an indiscriminate, automated second wave of hacking that opened the way for ransomware and other cyberattacks.

The second wave, which began Feb. 26, is highly uncharacteristic of Beijing’s elite cyber spies and far exceeds the norms of espionage, said Kevin Mandia of FireEye. In its massive scale it diverges radically from the highly targeted nature of the original hack, which was detected in January.

“You never want to see a modern nation like China that has an offense capability—that they usually control with discipline—suddenly hit potentially 100,000 systems,” Mandia said Tuesday in an interview with The Associated Press.

Mandia said his company assesses based on the forensics that two groups of Chinese state-backed hackers—in an explosion of automated seeding—installed backdoors known as “web shells” on an as-yet undetermined number of systems. Experts fear a large number could easily be exploited for second-stage infections of ransomware by criminals, who also use automation to identify and infect targets.

Across the globe, cybersecurity teams are scrambling to identify and shore up hacked systems. The National Governors Association sent a rare alert to governors on Tuesday asking them amplify “both the severity of the threat and the next steps” local governments, businesses, and operators of critical infrastructure should take.

David Kennedy, CEO of the cybersecurity firm TrustedSec, tweeted Tuesday that resource-demanding programs that “mine” cryptocurrencies were being installed on some compromised Exchange servers.

The CEO of FireEye Kevin Mandia gives a tour of the cybersecurity company’s unused office space in Reston, Va., on March 9, 2021. (Nathan Ellgren/AP Photo)

The White House has called the overall hack an “active threat,” but so far has not urged tough action against China or differentiated between the two waves—at least not publicly. Neither the White House nor the Department of Homeland Security offered comment on whether they attribute the second wave to China.

The assessment of Mandia, who has been dealing with Chinese state-backed hackers since 1995 and has long had the ear of presidents and prime ministers, squares with that of Dmitri Alperovitch, former chief technical officer of CrowdStrike, the other cybersecurity powerhouse in the Washington area. Alperovitch says China needs to be immediately put on notice: Shut down those web shell implants and limit collateral.

The explosion of automated backdoor-creating hacks began five days before Microsoft issued a patch for the vulnerabilities first detected in late January by the cybersecurity firm Volexity. It had found evidence of the vulnerabilities being used as far back as Jan. 3 by Chinese state-backed hackers, who researchers say targeted think tanks, universities, defense contractors, law firms, and infectious-disease research centers.

Suddenly, all manner of organizations that run email servers were infected with web shells associated with known Chinese groups, who—knowing the patch was imminent—rushed to hit everything they could, said Mandia.

“They could sense it was going to end-of-life soon, so they just went wild. They machine gun-fired down the stretch,” he said in an interview in FireEye’s offices.

“It’s possible the second infection wave was not approved at the highest levels of China’s [regime],” Mandia said.

“This doesn’t feel consistent with what they normally do,” he said. “A lot of times there’s a disconnect between senior leadership and front-line folks. All I can tell you is it was surprising to me to see four ‘zero days’ wantonly exploited,” adding, “If you could be exploited by this act, for the most part, you were.”

“Zero days” are vulnerabilities that hackers discover and use to pry open secret doors in software. Their name derives from the countdown to patching that begins after they are deployed. In this case, it took Microsoft 28 days to produce a patch once it was notified.

People walk past a Microsoft office in New York on Nov. 10, 2016. (Swayne B. Hall/AP Photo File)

Mandia cautioned that the mass hack is not apt to trigger any critical infrastructure failures or cost lives. “It’s not going to draw blood.” But it highlights how there are no rules of engagement in cyberspace, something governments urgently need to address “before something catastrophic happens.”

Asked for comment on Monday about allegations it was behind the hack, the Chinese Embassy in Washington pointed to remarks last week from Foreign Ministry spokesperson Wang Wenbin saying that China “firmly opposes and combats cyber attacks and cyber theft in all forms.” He said attribution of cyberattacks should be based on evidence and not “groundless accusations.”

Mandia compared the Exchange hack with the SolarWinds hacking campaign that Washington has blamed on elite Russian intelligence agents that his company discovered in December.

“The SolarWinds attack was very surreptitious, very stealthy, very focused. The operator showed restraint and they went deep not wide,” said Mandia, who appeared in multiple Capitol Hill hearings on SolarWinds. “This attack [Exchange] feels very wide, but what I don’t have an answer to yet is just how deep it is.”

U.S. officials say at least nine federal agencies and over 100 private sector targets were affected by the SolarWinds campaign, named after the Texas company whose network management software was used to seed malware to more than 18,000 customers. Only a small number were hacked during the campaign, which went eight months without being detected.

Mandia said Russian intelligence operatives had manually penetrated the networks of between 60 and 100 different victims. Security researchers say telecommunications and software companies and think tanks were especially hard hit.

By Frank Bajak and Nathan Ellgren

Affiliate News Feeds

  • Hardware
  • Internet of Things
  • Networking
  • Industry News
  • Software

The tech titan Amazon used its show in Las Vegas to talk about watery matters, supply chains and much more. The post AWS re:Invent 2022: A tiered tour of technology… [...]

In a recent interview with Ravi Pendekanti, SVP of Product Management & Marketing at Western Digital, he explained how they have expanded their HDD technology to lower total cost of… [...]

Our picks for the top Amazon Cyber Week deals to ease the stress of those who work from home. The post 5 Amazon Cyber Week deals sure to make remote… [...]

IIoT can be a revelation when implemented successfully, but companies may run into obstacles. Here’s what IIoT is and the top five obstacles associated with using it. The post Top… [...]

Learn how Internet of Things technology has continued to support digital transformation for organizations across industries. The post Top 5 trends to watch in industrial IoT appeared first on TechRepublic. [...]

UK-based IoT connectivity platform provider seeks élan and style by snapping up French firm. The post Wireless Logic continues acquisition spree with IoThink Solutions deal appeared first on TechRepublic. [...]

Consider securing your remote work setup with a three-year subscription to a top VPN. Windscribe Pro is more than 70% off today only. The post Lock in 3 years of… [...]

Virtualization platforms are available from a number of vendors, but it’s still critical to maintain your virtualization environment to avoid unnecessary resource consumption, out of-compliance systems or applications, data loss,… [...]

The company’s products seek to address real-time data transport, edge data collection instruments. The post NVIDIA unveils supercomputing and edge products at SC22 appeared first on TechRepublic. [...]

An account takeover (ATO), in which criminals impersonate legitimate account owners to take control of an account, are on the rise in Asia and across the world. Fraudsters are swindling… [...]

Experts warn that API attacks will soon become the most common type of web application attack. As a result, organizations and their security vendors need to align across people, processes,… [...]

Research shows that web applications and API attacks continued to explode in the first half of 2022. Does your organization have the best defense today? Akamai recommends deploying a holistic… [...]

See how to integrate the Trello software with Google Mail for a much simpler project management workflow. The post How to integrate Trello with Gmail appeared first on TechRepublic. [...]

Read how to install the Trello app in macOS and why it will make your project management even easier. The post How to install the Trello app on macOS and… [...]

Find out if one of these top seven Wrike alternatives are an ideal project management solution for you and your team. The post Top 7 Wrike alternatives for project and… [...]