Microsoft announced this week that U.S. businesses and government agencies that use a Microsoft email service were the victim of an aggressive hacking attack initiated by the Chinese government.

Tens of thousands of victims have already been attacked, but according to security experts investigating the breach, that number is likely to rise. Cybersecurity firm Volexity discovered the attack, which began in January, as hackers took advantage of Microsoft vulnerabilities.  In recent weeks, the attacks have intensified.

An emergency warning was released by the U.S. government’s cybersecurity agency urging federal agencies to immediately patch their systems.

“We’re concerned that there are a large number of victims,” White House press secretary Jen Psaki said during a press briefing. She stated that the attack “could have far-reaching impacts.”

Federal officials struggled to understand how this latest attack compared to a Russian attack last year that compromised the systems of federal and corporate agencies. This attack, which became known as the SolarWinds attack, planted code in an update in an update of SolarWinds’ network management software. The SolarWinds attack was downloaded by nearly 18,000 people, but data was stolen from only about 100 companies and 9 government agencies.

In this attack attributed to the Chinese government, it is estimated that approximately 30,000 have been exploited by the hackers in Exchange, a Microsoft mail and calendar server. The attacks allowed for hackers to steal emails and install malware that allowed for victims to be surveilled. Exchange is used by a wide variety of customers including small businesses, state and local governments, and military contractors.

Wang Wenbin, a spokesman for China’s Ministry of Foreign Affairs was asked whether China was responsible for the attack and replied, “China has reiterated on multiple occasions that given the virtual nature of cyberspace and the fact that there are all kinds of online actors who are difficult to trace, tracing the source of cyberattacks is a complex technical issue. It is also a highly sensitive political issues to pin the label of cyberattack to a certain government.”

Steven Adair, founder at Volexity, noted that the hack was detected in January. The hackers exploited a bug that allowed them to access email servers, and steal emails, without a password.

“This is what we consider really stealth,” said Adair. “It caused us to start ripping everything apart.”

Attacks escalated quickly in late February, as hackers began weaving multiple vulnerabilities together to attack a larger number of people. “We knew that what we had reported and seen used very stealthily was now being combined and chained with another exploit. It just kept getting worse and worse.”

“We are closely tracking Microsoft’s emergency patch for previously unknown vulnerabilities in Exchange Server software and reports of potential compromises of U.S. think tanks and defense industrial base entities,” said Jake Sullivan, the White House national security adviser.

Christopher Krebs, former director of the U.S. Cybersecurity and Infrastructure Agency, said that organizations that use Microsoft’s Exchange program should assume that they’ve been compromised sometimes between February 26 and March 3, and install patches released by Microsoft as quickly as possible.

Jeff Jones, a senior director at Microsoft revealed that “We are working closely with the C.I.S.A., other government agencies and security companies to ensure we are providing the best possible guidance and mitigation for our customers.”

Microsoft says that Chinese hacking group known as Hafnium, “a group assessed to be state-sponsored and operating out of China,” was behind the attack.

Since the attack, Microsoft has also disclosed that other hackers that are not affiliated with Hafnium have taken advantage of the vulnerabilities and begun attacks as well.  “Microsoft continues to see increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors,” the company said.

Patching these systems is not an easy task. Email servers are difficult to maintain even for security professionals. Microsoft has urged users to move to the cloud, where it’s much easier for them to manage security for them.  Experts believe this attack could push users in the direction of a cloud based email service.

“Even for people who patched this as fast as humanly possible, there’s an extremely high chance that they were already compromised,” concludes Adair.

Story via The New York Times