China’s and Russia’s Spying Sprees Will Take Years to Unpack

First it was SolarWinds, a reportedly Russian hacking campaign that stretches back almost a year and has felled at least nine US government agencies and countless private companies. Now it’s Hafnium, a Chinese group that’s been attacking a vulnerability in Microsoft Exchange Server to sneak into victims’ email inboxes and beyond. The collective toll of these espionage sprees is still being uncovered. It may never be fully known.

Countries spy on each other, everywhere, all the time. They always have. But the extent and sophistication of Russia’s and China’s latest efforts still manage to shock. And the near-term fallout of both underscores just how tricky it can be to take the full measure of a campaign even after you’ve sniffed it out.

By now you’re probably familiar with the basics of the SolarWinds attack: Likely Russian hackers broke into the IT management firm’s networks and altered versions of its Orion network monitoring tool, exposing as many as 18,000 organizations. The actual number of SolarWinds victims is assumed to be much smaller, although security analysts have pegged it in at least the low hundreds so far. And as SolarWinds CEO Sudhakar Ramakrishna has eagerly pointed out to anyone who will listen, his was not the only software supply chain company that the Russians hacked in this campaign, implying a much broader ecosystem of victims than anyone has yet accounted for.

“It’s become clear that there’s much more to learn about this incident, its causes, its scope, its scale, and where we go from here,” said Senate Intelligence Committee chair Mark Warner (D-Virginia) at a hearing related to the SolarWinds hack last week. Brandon Wales, acting director of the US Cybersecurity and Infrastructure Agency, estimated in an interview with MIT Technology Review this week that it could take up to 18 months for US government systems alone to recover from the hacking spree, to say nothing of the private sector.

That lack of clarity goes double for the Chinese hacking campaign that Microsoft disclosed Tuesday. First spotted by security firm Volexity, a nation-state group that Microsoft calls Hafnium has been using multiple zero-day exploits—which attack previously unknown vulnerabilities in software—to break into Exchange Servers, which manage email clients including Outlook. There, they could surreptitiously read through the email accounts of high-value targets.

“You wouldn’t fault anyone for missing this,” says Veloxity founder Steven Adair, who says the activity they observed began on January 6 of this year. “They’re very targeted, and they’re not doing much to raise alarm bells.”

This past weekend, though, Veloxity observed a marked shift in behavior, as hackers began using their Exchange Server foothold to aggressively burrow deeper into victim networks. “It was really serious before; someone having unrestricted access to your email at will is in a sense a worst-case scenario,” says Adair. “Them being able to also breach your network and write files steps it up a notch in terms of what someone can get to and how hard the cleanup can be.”

Neither SolarWinds nor the Hafnium attacks have stopped, meaning the very concept of cleanup, at least broadly, remains a distant dream. It’s like trying to mop up an actively gushing oil tanker. “It is apparent that these attacks are still ongoing, and the threat actors are actively scanning the internet in a ‘spray-and-pray’ type fashion, targeting whatever looks to be vulnerable,” says John Hammond, senior security researcher at threat detection firm Huntress, about the Hafnium campaign.

Microsoft has released patches that will protect anyone using Exchange Server from the assault. But it’s only a matter of time before other hackers reverse engineer the fix to figure out how to exploit the vulnerabilities themselves; you can expect ransomware and cryptojacking groups to get in on the action posthaste.