with Aaron Schaffer

A hacking campaign with Chinese ties and a growing victim count poses a fresh wave of cybersecurity challenges for the Biden administration.

The White House and U.S. intelligence officials have issued increasingly urgent warnings for organizations to patch a critical vulnerability in Microsoft Exchange servers. The company says a group of Chinese government hackers it dubbed Hafnium has been exploiting it to gain access to the servers of public and private entities, and cybersecurity firms have confirmed at least four unnamed groups are also using it. 

“This is a significant vulnerability that could have far-reaching impacts. First and foremost, this is an active threat,” White House press secretary Jen Psaki said Friday. 

Since Microsoft released a patch last week, hackers have escalated their efforts to find new victims before its used, officials warn.

At least 30,000 organizations across the United States have been hacked by the Chinese group, Brian Krebs first reported. That includes more than 4,000 state and local governments and critical infrastructure providers. The Cybersecurity and Infrastructure Security Agency hosted a call on Friday urging the organizations to immediately patch the vulnerability, Dustin Volz at the Wall Street Journal reports. There is no indication that federal agencies have been hacked using the Microsoft vulnerability.

The White House is expected to gather officials this week to consider creating a task force to review the incident and determine a potential response, Ellen Nakashima first reported. The U.S. has not yet formally attributed the attack since U.S. government personnel are struggling to sort out which hacker groups are doing what at this point, she writes. 

The targeting of local governments and small businesses could make cleanup difficult.

Many state and local governments lack strong cybersecurity resources. Some state governments have already found their IT systems struggling under the weight of the pandemic and any major impact on health services could further slow down vaccine distribution and key relief services. 

But leaving the problem unaddressed would allow hackers to remotely use the servers without the need for credentials. 

“Responding to back-to-back, large-scale cybersecurity incidents is challenging even for large, well-resourced security teams, Mat Gangwer, senior director of managed threat response at security firm Sophos wrote in an email. For the small and midsized business and local government organizations that are often underfunded, it can be daunting.” 

Making matters worse: Although Microsoft has pushed a fix to close the vulnerability, that alone will not get hackers out of any infiltrated network. 

The new cybersecurity crisis has already outpaced the number of SolarWinds victims. U.S. intelligence placed the number of SolarWinds victims at around 100 companies and nine federal agencies. At least 18,000 SolarWinds clients worldwide downloaded the malware Russian hackers used to get into users' systems.

The attack comes as the Biden administration is winding up its response to Russia. The Biden administration is preparing to release economic sanctions in the coming weeks. 

The Biden administration has spent weeks deliberating a response to Russia, so it's unlikely that even if it does formally attribute the Microsoft attack to China that it would act right away. An attribution from the U.S. government could escalate tensions between the Biden administration and the economic and technological rival, which the United States has condemned for hacking before. 

Government officials are still determining the motivation behind this hack.

The victims include a seemingly random variety of organizations. Previous Chinese hacking campaigns have gone after intelligence including coronavirus vaccine research and federal employee data

Hackers could also be waiting to cause more chaos. Once in the server, hackers could also use access to plant malware such as ransomware or to destroy data.

John Hultquist, vice president of threat intelligence at FireEye:

Cybersecurity researcher Andrew Thompson:

The keys

The State Department says Russian intelligence agencies used websites to undermine confidence in Western vaccines.

An official in the State Department’s Global Engagement Center said that Russian intelligence agencies used four websites to spread doubt about the risk of the vaccines, the Wall Street Journal’s Michael R. Gordon and Dustin Volz report

The low-readership news and academic sites repeated news reports about the vaccines, but did not include contextual information about their safety.

Kremlin spokesman Dmitry Peskov called the report “nonsense,” saying that “Russian special services have nothing to do with any criticism against vaccines.”

Researchers from the Alliance for Securing Democracy, which is affiliated with the German Marshall Fund, said that Chinese, Iranian and Russian officials and state media accounts used their Twitter accounts to focus on the Pfizer vaccine and play up the vaccine’s risk.

The White House is working on a plan to add software standards focusing on critical infrastructure.

The executive order will focus on software standards, especially for critical infrastructure, in the wake of the cyberattack on SolarWinds and other software, CyberScoop’s Sean Lyngaas reports

“The level of trust we have in our systems has to be directly proportional to the visibility we have,” deputy national security adviser for cyber and emerging technology Anne Neuberger said on Friday. And the level of visibility has to match the consequences of the failure of those systems.” Neuberger did not specify when the order would be signed or its scope. A National Security Council representative did not respond to a request for comment. 

Neuberger said SolarWinds attack will take months to investigate. The Biden administration is planning its response to the attack, which U.S. intelligence says was done by Russia.

Chat room

The attribution claims by the State Department officials quoted in the Wall Street Journal's report on Russia's campaign to undermine Western vaccines were noteworthy, according to Johns Hopkins University professor Thomas Rid:

CNN's Evan Pérez:

Graham Brookie, who is the director of the Atlantic Council's Digital Forensic Research Lab:


  • Rep. Jim Langevin (D-R.I.), the chair of the House Armed Services Committee’s cyber panel; Eric Goldstein, the Cybersecurity and Infrastructure Security Agency’s executive assistant director for cybersecurity; and Debra Jordan, the deputy chief of the Federal Communications Commission’s homeland security bureau, speak at an event hosted by the Center for Strategic and International Studies on Tuesday at 11 a.m. 
  • Brandon Wales, the acting director of the Cybersecurity and Infrastructure Security Agency, and Goldstein testify before a House Appropriations Committee panel on Wednesday at 10 a.m.
  • Secretary of State Antony Blinken testifies before the House Foreign Affairs Committee on the United States’ foreign policy priorities on Wednesday at 1:30 p.m.
  • The Aspen Institute hosts an event on international Internet blackouts on Tuesday at noon.
  • U.S. Cyber Command executive director Dave Frederick speaks at an event hosted by the Intelligence and National Security Alliance on Wednesday at 4:30 p.m.
  • A House Judiciary committee panel holds a hearing on technology competition and the press on Friday at 10 a.m. Microsoft president Brad Smith is expected to testify.
  • Former Google CEO Eric Schmidt, the chairman of a government commission on artificial intelligence, testifies, with other commissioners at a joint hearing on Friday at 11 a.m.

Secure log off

Start your Monday with a morning dose of cute: