CEO of FireEye: Unusual for China, a Reckless Microsoft Hack


China has also been criticised for a breach that exposed tens of thousands of servers running Microsoft’s Exchange email service to the risk of being hacked. According to the CEO of a major cybersecurity company, it now appears that China has launched an indiscriminate, automated second wave of hacking, paving the way for ransomware and other cyberattacks.

According to Kevin Mandia of FireEye, the second surge, which started on Feb. 26, is uncharacteristic of Beijing’s elite cyber spies and far exceeds espionage norms. Its large size contrasts sharply with the original hack’s highly focused design, which was discovered in January.

In an interview with The Associated Press on Tuesday, Mandia said, “You never want to see a modern nation like China that has an offence capacity — that they normally regulate with discipline — unexpectedly reach potentially a hundred thousand systems.”

Based on the forensics, Mandia believes two groups of Chinese state-backed hackers built backdoors known as “internet shells” on an as-yet undetermined number of systems in an eruption of automatic seeding. Experts are concerned that a significant number could be quickly used by hackers for second-stage ransomware infections, since they use automation to classify and infect targets.

Cybersecurity teams all over the world are scrambling to find and secure compromised networks. On Tuesday, the National Governors Association sent an unusual warning to governors, urging them to emphasise “both the gravity of the danger and the next steps” that local governments, companies, and vital infrastructure operators can take.

On Tuesday, David Kennedy, CEO of the cybersecurity company TrustedSec, tweeted that resource-intensive cryptocurrency-mining programmes had been deployed on several hacked Exchange servers.

The White House has labelled the hack as a “aggressive threat,” but hasn’t called for tougher sanctions against China or made a distinction between the two waves — at least not publicly. Neither the White House nor the Department of Homeland Security responded to a request for comment about whether the second wave was caused by China.

Dmitri Alperovitch, the former chief technical officer of CrowdStrike, the other cybersecurity giant in the Washington, D.C. region, agrees with Mandia’s estimation. Mandia has been struggling with Chinese state-backed hackers since 1995 and has long had the ear of presidents and prime ministers. According to Alperovitch, China needs to be warned right away to stop implanting web shells and restrict collateral.

The surge in automatic backdoor-creating hackers started five days before Microsoft released a fix for the bugs discovered by cybersecurity company Volexity in late January. It discovered signs of the vulnerabilities being exploited as early as January 3 by Chinese state-sponsored hackers, who attacked think tanks, colleges, defence companies, law firms, and infectious-disease research centres, according to researchers.

Suddenly, web shells affiliated with established Chinese gangs compromised all sorts of organisations that operate email servers, according to Mandia. Recognizing the fix was inevitable, they raced to reach everything they could.

“We could see it was nearing the end of its existence, so they went crazy. In an interview at FireEye’s headquarters, he said, “They machine gunned down the stretch.”

“It’s likely that the second infection wave was not authorised by China’s government at the highest levels,” Mandia speculated.

He said, “This does not seem compatible with what they usually do.” “There is often a misalignment between executive leadership and front-line employees. All I would say is that seeing four ‘zero days’ wantonly abused surprised me,” he said, adding, “If you might be exploited by this act, for the most part, you were.”

Hackers find bugs in software and exploit them to gain access to hidden doors. The countdown to patching that starts after they are deployed gives them their name. Microsoft took 28 days to create a patch after being alerted in this situation.

Mandia warned that the massive hack is unlikely to cause vital infrastructure failures or result in the loss of life. “It isn’t going to be a bloodbath.” However, it emphasises how there are no laws of engagement in cyberspace, which policymakers must fix immediately “before anything disastrous occurs.”

When asked about the claims that China was behind the hack on Monday, the Chinese Embassy in Washington referred to comments made last week by Foreign Ministry spokesperson Wang Wenbin, who said that China “firmly condemns and combats cyber assaults and cyber theft in all kinds.” He said that cyberattack identification should be founded on facts rather than “baseless claims.”

Mandia linked the Exchange attack to the SolarWinds hacking campaign, which his company uncovered in December and which Washington has blamed on elite Russian intelligence officers.

“The SolarWinds assault was very stealthy, very concentrated, and very surreptitious. The operator was restrained, and they went deep rather than wide,” said Mandia, who testified at several congressional hearings on SolarWinds. “It feels like this assault (Exchange) is really wide, but I don’t know how deep it is yet.”

The SolarWinds initiative, named after the Texas firm whose network security programme was used to seed ransomware to over 18,000 users, hit at least nine federal agencies and over 100 private sector targets, according to US officials. Only a few people were hacked during the campaign, which went undetected for eight months.

Russian intelligence agents had manually infiltrated the networks of 60 to 100 separate victims, according to Mandia. According to security experts, telecommunications and tech providers, as well as think tanks, were particularly hard hit.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.