Microsoft warns that China-backed hackers are targeting US law firms using Exchange Server security flaws

Microsoft releases security updates to patch on-premises Exchange mail servers
Microsoft is warning its customers about a “state-sponsored threat actor” that they are calling Hafnium, which operates from China and is focused on exfiltrating information from industries including the legal sector. It has been engaged in a number of attacks using previously unknown exploits targeting on-premises Exchange Server software.
Microsoft says that Hafnium primarily targets entities in the United States and conducts its operations from leased virtual private servers in the US. It warns specifically that law firms are being targeted, alongside “defense contractors, but also infectious disease researchers and policy think tanks.”
In a blog post this week Microsoft says: “In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.”
The attacks included three steps, as described here in Microsoft’s words: “First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what’s called a web shell to control the compromised server remotely. Third, it would use that remote access – run from the U.S.-based private servers – to steal data from an organization’s network.”
Microsoft adds: “We are focused on protecting customers from the exploits used to carry out these attacks. Today, we released security updates that will protect customers running Exchange Server. We strongly encourage all Exchange Server customers to apply these updates immediately. Exchange Server is primarily used by business customers, and we have no evidence that Hafnium’s activities targeted individual consumers or that these exploits impact other Microsoft products.”
And it warns: “Even though we’ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems. Promptly applying today’s patches is the best protection against this attack.”
This is the eighth time in the past 12 months that Microsoft has publicly disclosed nation-state groups targeting institutions critical to civil society; other activity disclosed has targeted healthcare organizations fighting Covid-19, political campaigns and others involved in the 2020 elections, and high-profile attendees of major policymaking conferences.
Microsoft stresses that these exploits are not connected to the SolarWinds-related attacks. “We continue to see no evidence that the actor behind SolarWinds discovered or exploited any vulnerability in Microsoft products and services,” Microsoft says.