With the weekend looming, experts say it is only a matter of time before the break-in tools are cloned by other spies or cybercriminals, with the potential to compound the problem for users of Microsoft’s widely used Exchange email and calendaring software.
Wielding tools that exploited four previously unknown vulnerabilities, the allegedly Chinese group that Microsoft dubs “Hafnium” has been breaking into email servers since January, remotely and silently draining inboxes of their messages without having to send a single malicious email or rogue attachment.
Norwegian authorities said they had seen “limited” use of the hacking tools in their country. The Prague municipality and the Czech Ministry for Labor and Social Affairs were among those affected, according to a European cyber official briefed on the matter.
The official said that the technique’s ease of exploitation meant that the hackers had effectively been enjoying a “free buffet” since the beginning of the year.
The worry now is that others may be about to join the feast.
Although Microsoft has published fixes for the vulnerabilities and the US government—including National Security Adviser Jake Sullivan—has urged users to update their software, in practice not everyone is. Meanwhile, hackers are studying the fixes to reverse engineer Hafnium’s tools and appropriate them for themselves.
Once that happens, experts say, the targeting may get even more aggressive.