Late last year, researchers at the Los Angeles-based cybersecurity company Resecurity stumbled across a massive trove of stolen data while investigating the hack of an Italian retailer.<\/p>\n
Squirreled away on a cloud storage platform were five gigabytes of data that had been stolen during the previous three and half years from foreign ministries and energy companies by hacking their on-premises Microsoft Exchange servers. In all, Resecurity researchers found documents and emails from six foreign ministries and eight energy companies in the Middle East, Asia and Eastern Europe.<\/p>\n
The attacks, which haven\u2019t been previously reported, served as a prequel to a remarkably similar, widely publicized hack of Microsoft Exchange servers from January to March of this year, according to Resecurity. A person familiar with the investigation into the 2021 attack, who wasn\u2019t authorized to speak publicly and requested anonymity, made a similar allegation, saying the data theft discovered by Resecurity followed the same methods. The 2021 hack was extraordinary for its scope, infecting as many as 60,000 global victims with malware.<\/p>\n
Microsoft quickly pinned the 2021 cyberattack on a group of Chinese state-sponsored hackers it named Hafnium, and the U.S., U.K., and their allies made a similar claim last month, attributing it to hackers affiliated with the Chinese government.<\/p>\n
Resecurity can\u2019t say for sure the attacks were perpetrated by the same group. Even so, the cache of documents contained information that would have been of interest to the Chinese government, according to Gene Yoo, Resecurity\u2019s chief executive officer. The person familiar said the victims selected by the hackers and type of intelligence gathered by attackers also pointed to a Chinese operation.<\/p>\n
Researchers at other cybersecurity firms, who requested anonymity because they hadn\u2019t reviewed all of Resecurity\u2019s findings, cautioned that the attacks could have been perpetrated by any number of nations interested in Middle East diplomacy and the internal communications of influential energy companies.<\/p>\n
Regardless, both hacking campaigns underscore how flaws in Microsoft\u2019s popular on-premises email servers — which are controlled by the customers using those systems — have for years acted as a skeleton key for hackers to unlock sensitive data from government and private companies.<\/p>\n
The Chinese government rejected allegations that its state-sponsored hackers were involved in any of these attacks.<\/p>\n
\u201cChina resolutely opposes any form of online attack or infiltration. This is our clear and consistent stance,\u201d the Ministry of Foreign Affairs said, in a messaged statement. \u201cRelevant Chinese laws on data collection and handling clearly safeguards data security and strongly oppose cyberattacks and other criminal activity.\u201d<\/p>\n
In addition, the Ministry said it was a \u201ccomplex technology problem\u201d to determine the source of attacks, adding that it hoped the media would avoid \u201cgroundless speculation\u201d and rely on \u201ccomprehensive evidence when determining the nature of cyberspace events.\u201d China has already proposed a global data security standard and urges \u201call parties to work with us to genuinely safeguard global data security,\u201d according to the Ministry\u2019s statement.<\/p>\n
Microsoft Corp. spokesperson Jeff Jones said in a statement that, \u201cmany nation-state actors\u201d target email systems to gain confidential information, and that Microsoft\u2019s security teams are \u201cconstantly working with our security partners\u201d to identify new vulnerabilities that could be used in future attacks.<\/p>\n
Microsoft has been tracking Hafnium, the group it accused of the 2021 attack, since as early as April 2020, including collecting data about its cyber-espionage operations, Jones said. Microsoft\u2019s threat intelligence unit has since tracked multiple campaigns by Hafnium, and have notified countries that were victims of the attacks, according to Jones, who didn\u2019t identify the countries. Hafnium\u2019s goal is espionage with a focus on data theft, he said.<\/p>\n
In a series of breaches stretching from 2017 to 2020, hackers stole documents and emails from foreign ministries in Bahrain, Iraq, Turkey, Oman, Egypt and Jordan \u2013 and email and data from eight energy companies, including Malaysian oil and gas giant Petronas Nasional Bhd and India\u2019s Hindustan Petroleum Corp., according to Resecurity and a review of the stolen data by Bloomberg News.<\/p>\n
Some of the emails and documents appear to contain sensitive information: diplomatic cables, critical network data including usernames and passwords and private consumer data.<\/p>\n
For instance, one memo from an attach\u00e9 from Bahrain described a Dec. 9, 2018, meeting in which the country\u2019s leading Asia diplomats met with Chinese counterparts, at a time when China was facing a possible special session of the United Nations Human Rights Council to scrutinize its treatment of Muslim Uyghurs. In the meeting, China\u2019s Lin Jiming recalled that two years earlier, his country defended Bahrain\u2019s own human rights record during a formal U.N. review, according to the memo, which was forwarded to Bahrain\u2019s foreign minister and human rights affairs directorate, along with a recommendation to support China\u2019s position.<\/p>\n
Bahrain was among 37 countries that signed a letter in mid-2019 supporting China\u2019s policies in the western region of Xinjiang. The special session never occurred.<\/p>\n
There are also documents detailing day-to-day business, such as internal memos about personnel changes, news summaries, an autograph request for a foreign minister and invitations to diplomatic conferences, according to Resecurity and the documents reviewed by Bloomberg.<\/p>\n
Officials in Bahrain didn\u2019t respond to a message seeking comment. Officials in Iraq confirmed the government has been the target of cyberattacks but said they weren\u2019t damaging. Representatives from Turkey, Oman, Egypt and Jordan didn\u2019t respond to requests for comment. HPCL didn\u2019t respond.<\/p>\n
The attackers also compromised a series of mostly state-run energy companies, utilities and research facilities covering regions stretching from Eastern Europe to Southeast Asia, according to Resecurity. Along with sensitive administrative data and intellectual property, Resecurity\u2019s researchers also found lists of users, their internal network permissions and password details, all of which could be used by hackers to expand their footprint inside victim networks, according to Resecurity researchers and the documents.<\/p>\n
Inside the servers of Petronas, the hackers found lists of usernames and passwords, according to Resecurity and the documents Within Hindustan Petroleum, they found thousands of user records and employee emails, according to the researchers and documents.<\/p>\n
Other victims included Doosan Fuel Cell Co. in Korea; Romania\u2019s Institute for Nuclear Research in Pitesti; the State Oil Company of Azerbaijan Republic, known as SOCAR; the UAE\u2019s Sharjah National Lube Oil Corp. and Jordan\u2019s Electric Distribution Company and National Electric Power Company, according to Resecurity.<\/p>\n
In response to a Bloomberg query, Doosan said its Exchange server was attacked but that hackers were prevented from stealing any data. Petronas didn\u2019t answer specific questions about the alleged attack but provided a statement about their \u201crobust and comprehensive cybersecurity strategy.\u201d<\/p>\n
The other companies and Romania\u2019s nuclear research unit didn\u2019t respond to requests for comment.<\/p>\n
The 2021 attack occurred after hackers discovered a series of previously unknown vulnerabilities — called zero days — in the Microsoft Exchange email system, and then used those to exploit tens of thousands of victims globally. While the attack\u2019s sprawl was unprecedented, relatively few of the Exchange customers who were infected with malware were then targeted for more invasive attacks such as data theft or ransomware, Microsoft said in a blog.<\/p>\n
It\u2019s unclear how the hackers behind the earlier attacks on foreign ministries and energy companies initially infiltrated the networks.<\/p>\n
But after the original compromise, both attacks were almost identical. Hackers installed web shells on victim networks that allowed them to remotely access the internal login page for each server. The attackers then used an open-source software called Mimikatz (and a modified version of Mimikatz) to steal passwords and establish a connection inside the network.<\/p>\n
Such methods aren\u2019t particularly unique. Instead, such generic attack methods allow hackers to hide their tracks and have become a signature for government hacking groups, including some affiliated with the Chinese government, said Ben Read, director of cyber-espionage analysis at the cybersecurity firm Mandiant.<\/p>\n
The security research firm Cybereason Inc. published its own allegations about Chinese hackers this week. The firm alleged that at least five telecommunications giants were targeted by state-backed Chinese hackers in an operation also dating back to 2017. The hacking groups stole phone records and geolocation data by exploiting systems, including Microsoftt Exchange servers, according to a report published Aug. 3. The Chinese Foreign Ministry said the report \u201chypes political rumors\u201d created by the U.S. and its allies and are \u201cfabricated out of nothing.\u201d<\/p>\n","protected":false},"excerpt":{"rendered":"
Late last year, researchers at the Los Angeles-based cybersecurity company Resecurity stumbled across a massive trove of stolen data.<\/p>\n","protected":false},"author":341034,"featured_media":399951,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[16],"tags":[123,68902],"class_list":["post-408692","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-software","tag-microsoft","tag-microsoft-exchange"],"_links":{"self":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/408692"}],"collection":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/users\/341034"}],"replies":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/comments?post=408692"}],"version-history":[{"count":0,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/408692\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media\/399951"}],"wp:attachment":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media?parent=408692"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/categories?post=408692"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/tags?post=408692"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}