What’s behind the major China and Russia cyberattacks recently?

Experts reckon that China’s and Russia’s espionage sprees may take years to unpack.
11 March 2021

Russian Prime Minister Mikhail Michoustine. Moscow has denied involvement in the alarming intrusion into public and private computer servers that reportedly began in 2019, the scope of which U.S. security officials are still grappling with. Photo by Dimitar DILKOFF / AFP

  • The full extent of Russia’s SolarWinds and China’s Hafnium’s attack may never be known
  • Neither the SolarWinds nor Hafnium attacks have ceased entirely, meaning the end to this remains a distant dream
  • The proliferation of cyberattacks by rivals is presenting a challenge to the Biden administration

It started with SolarWinds, a protracted Russian state-backed hacking campaign that stretches back almost a year and has knocked down at least nine US government agencies and countless private companies. Then came Hafnium, a Chinese group that’s been attacking a vulnerability in Microsoft Exchange Server to sneak into victims’ email inboxes, and beyond. The collective toll of these espionage sprees – allegedly state-sponsored by Russia and China – that encompassed most of the last year-plus, is still being uncovered. Experts fear it may never be fully known.

Although states spying on each other is a common fact, the extent and sophistication of Russia’s and China’s latest efforts are still baffling. The immediate impact of both campaigns show just how tricky it can be to take the full measure of a wide-reaching cyber warfare campaign, even after it has been detected. In fact, officials are still struggling to understand how the latest hack compared with last year’s intrusion into a variety of federal agencies and corporate systems by Russian hackers. 

The attacks and their consequences

It is becoming more apparent that the Exchange Server hack that Microsoft has attributed to Beijing poses many of the same challenges as the SolarWinds attack conducted by the Russians, although the targets and the methodology are significantly different. In the SolarWinds incident, the Russian hackers planted code in an update of the SolarWinds network management software. While about 18,000 customers of the company downloaded the code, so far there is only evidence that the Russian hackers stole material from nine government agencies and roughly 100 companies. 

Whereas the hack that Microsoft has attributed to the Chinese, there are estimates that 30,000 or so customers were affected when the hackers exploited holes in Exchange, a mail and calendar server created by the company. Microsoft said in a blog post that those systems are used by a broad range of customers, from small businesses to local and state governments and some military contractors. The hackers were able to steal emails and install malware to continue surveillance of their target, but Microsoft said it had no sense of how extensive the theft was. 

The hackers had stealthily attacked several targets in January, according to Volexity, the cybersecurity firm that discovered the hack, but escalated their efforts in recent weeks as Microsoft moved to repair the vulnerabilities exploited in the attack. The nation-state group that Microsoft calls Hafnium has been using multiple zero-day exploits — which attack previously unknown vulnerabilities in software — to break into Exchange Servers, which manage email clients including Outlook. There, they could surreptitiously read through the email accounts of high-value targets. 

The US National Security adviser Jake Sullivan, said on Twitter that the White House was “closely tracking” the reports that the vulnerabilities in Microsoft Exchange were being used in “potential compromises of U.S. think tanks and defense industrial base entities.” Microsoft, ever since the attack, has released patches that will protect anyone using Exchange Server from the assault. But experts reckon that it’s only a matter of time before other hackers reverse engineer the fix to figure out how to exploit the vulnerabilities themselves.

A report quoting a Southern California cybersecurity monitoring service Milton Security Group Inc. founder Jim McMurry stated that smaller organizations are “struggling already due to Covid shutdowns — this exacerbates an already bad situation. I know from working with a few customers that this is consuming a great deal of time to track down, clean, and ensure they were not affected outside of the initial attack vector,” he said.

McMurry said the issue is “very bad” but added that the damage should be mitigated somewhat by the fact that “this was patchable, it was fixable”. Either way, the attacks were so successful and so rapid that the hackers appear to have found a way to automate the process.