Hafnium Hack Goes to “11”
What’s New: Chinese hackers have exposed as many as 400,000 Microsoft Exchange Servers to cyber attacks — with as many as 82,000 servers still vulnerable after nearly two weeks.
Why This Matters: While this attack originated with an Advanced Persistent Threat (APT) likely associated with the Chinese government, at least 10 other attack groups — including other nations and criminal syndicates — are now using this exploit.
A little more than one week ago, it was publicly reported that hundreds of thousands of Exchange email servers in 115 different countries, including more than 30,000 servers in the United States, were compromised by Chinese hackers who have been identified as “Hafnium.”
After gaining access to the networks, the attackers then dropped a “web shell”1 backdoor that gives them total access to victims’ email and, in some cases, other computers.
In the beginning, the attackers were careful and methodical, using a string of four zero-day exploits to gain access and to surreptitiously steal entire mailboxes and move laterally across networks. At some point, this activity was spotted by the Volexity cybersecurity company who then worked with Microsoft to fix the vulnerabilities. That’s when things went sideways.
When the Hafnium operators realized the jig was up, they turned things up to “11” — the number of compromised servers and the number of attack groups exploiting these vulnerabilities skyrocketed very quickly.
“On February 27, they realize the patch is going to come out, and they literally scan the world to compromise everyone. They left web shells that can now enable others to get into those networks, potentially even ransomware actors,” said Dmitri Alperovitch, co-founder of Crowdstrike and chairman at the Silverado Policy Accelerator.
As mentioned above, more than 82,000 servers globally are yet to be patched and, therefore, remain compromised.
What I’m Thinking:
Hafnium and Holiday Bear are both awful. Because it’s fresh in the public mind, many want to use the recent Russian supply chain hack as a point of reference for assessing the Exchange compromise. Put simply: They’re both very, very bad. The level of compromise and the sheer scale of both sets of victims is eye-watering and we’re a long way away from having either hack under control. That said, where Holiday Bear exercised a type of self-discipline by narrowing its most aggressive exploitation to a group of high-priority targets, Hafnium blew the doors off of everyone and invited every bad guy on the internet to raid their victims. Bothe APTs were reckless, but Hafnium was especially so and in a particularly destructive manner.
Let the hostage-taking begin. There are a lot of reasons individuals and companies will be slow to patch. Besides a lack of awareness or cybersecurity diligence, many companies build custom software to run on top of their Exchange servers that can sometimes “break” if they’re not optimized to run on updated hardware or software. This is the problem of “entanglement” and it is inevitably slowing some from patching their networks. This, then, means that there are tons of folks who are about to get ransomwared. Don’t forget, the WannaCry and NotPetya attacks both exploited vulnerabilities that had been patched years prior to these attacks. Even so, NotPetya did more than $10 billion in damages and the scale of this compromise dwarfs that one. If you really want to give yourself bad dreams, read this article I wrote in 2018.
One awkward conversation, please. Beijing is saying this is a “complex technical issue” and is pushing back on what it calls “groundless accusations.” But I’m not sure that’s going to cut it this week when Secretary of State Antony Blinken and National Security Advisor Jake Sullivan meet with Chinese counterparts in Alaska to have “direct, unfettered talks.” “There is a long litany of disagreements,” said State Department spokesman Ned Price. “We will certainly not pull any punches.” I guess we’ll see.
Finally, this problem is with us for awhile because of our own failures. A new GAO report says that none of the 23 government agencies it reviewed have implemented best practices for identifying and mitigating cybersecurity risks. It’s simple, really, the heads of those agencies should be fired. I know it’s more complicated than that — limited budgets, competing priorities, Congress, blah, blah, blah. No it’s not. Accountability is the only way we get out of this and that means it’s time to let the pink slips fly.
Moscow & Beijing Agree to a Joint Moon Base
What’s New: Russia and China have signed a Memorandum of Agreement (MOA) to partner on lunar operations, including building a permanent base on the surface of the moon or in its orbit, according to The New York Times.
Why This Matters: First, this plan for a permanent base on the moon could set off another “space race” with the United States. Second, this MOA further fuels concerns about a possible alliance between Russia and China that could challenge US interests more broadly.
NASA has plans to land humans on the moon in 2024 as a part of its Artemis project. These plans also include building a permanent base orbiting the moon, called Gateway. Eight nations, including the UK, Italy, Japan, and the UAE have joined the project.
The Russia-China MOA was announced on Tuesday and was light on details, with no timeline.
A statement from the China National Space Administration said both nations would “use their accumulated experience in space science research and development and use of space equipment and space technology to jointly formulate a route map for the construction of an international lunar scientific research station.”
Historically, the United States and Russia have been the top dogs in space. However, it seems likely that China will supplant Russia’s leadership position as Moscow increasingly assumes a supporting role when it comes to space travel and research.
In 2019, China landed an unmanned spacecraft on the dark side of the moon — the first successful effort to do so. Another mission, the Chang’e-7, is scheduled to go to the moon’s southern pole in 2024.
What I’m Thinking:
Space is going to get crowded. The United States, China, and the UAE are all either on Mars or headed there. More than 70 nations have a space program and there are at least 129 “private spaceflight companies” globally. There are all kinds of business opportunities being explored, including space tourism, commercial satellite operations, and even asteroid mining.
The MOA doesn’t freak me out. The agreement is likely as much about propaganda and public perceptions as it is about meaningful advancements in space. Don’t get me wrong, China and Russia would love to have a moon base, but there are a lot of hurdles between here and there and I don’t think this announcement does anything to American plans (except maybe speed them up).
Broader concerns about a growing alliance are reasonable, but I’m not too worried (yet). Moscow does sell China advanced weapons and the two nations have conducted a number of joint military exercises. They also tend to politically cooperate at the United Nations to frustrate Western policy. But all of that, I believe, largely falls into the category of pragmatic and self-interested cooperation at this point. That said, it’s not crazy to think that the two nations would cooperate in an effort to dilute American influence and power and so a watchful eye on their collaborations is well-justified.
Cool Stuff DoD is Doing
What’s New: Three initiatives within the DoD illustrate how the nation’s warfighters are pursuing near-, mid-, and long-term efforts to ensure our military remains the most efficient, lethal, and capable force in history.
Why This Matters: I often raise concerns about how well the US military is able to identify and to incorporate the tech that will be needed in tomorrow’s national security environment; but, it’s always good to remember that — even with our challenges — the DoD is always refining and improving itself. Plus, each of the projects listed below is pretty cool.
The first project is a 20-year, $21 billion effort to modernize four shipyards in Pearl Harbor, Hawaii; Kittery, Maine; Portsmouth, Virginia; and Puget Sound, Washington. At the core of this upgrade is a modeling-and-simulation technology called digital twinning — where a complete digital replica of a piece of machinery, some other object, or even a building is used for real-time awareness, training, and modeling. In the case of the shipyards, it’s being used to find the most productive ways to remodel the aging docks.
“The modeling and simulation is really key as it allows us the opportunity to figure out how to optimize flow, not only within the shops, but around the yards to provide the most efficient and productive layout for operations within the shipyard,” said Stephanie Douglas, executive director for logistics, maintenance and industrial operations at Naval Sea Systems Command.
Another cool project involves the US Army wanting to launch “loitering munitions” (aka, suicide drones) from helicopters. Basically, a number of defense contractors are creating variants of small, relatively inexpensive drones that have the ability to identify, track, and destroy a target. Northrop Grumman, for example, has a drone that can carry reconnaissance, electronic warfare, or loitering munition payloads and is compatible with the AH-64 Apache. Being able to deploy such a munition from a helicopter would allow pilots to simultaneously engage multiple targets and to have a persistent “presence” even after the actual pilots have left the airspace.
Finally, another US Army project is exploring the possibility of combining robots with organic, living tissue. According to Federal News Network, The Army’s Combat Capabilities Development Command is teaming up with universities in North Carolina to build bio-hybrid robots that use flexible and versatile tissue-like tendons to improve the agility and survivability of machines.
Dean Culver, an ARL research scientist, told Federal News Network, “One of the real advantages of muscle and the tendons and ligaments associated with the rest of the kinetic chain in organisms is that flexibility lets something go a little bit wrong. There won’t be a catastrophe. I can slip and adjust a little bit and not fall down.”
What I’m Thinking: Occasionally, I just like to point at things that I think are cool — no need to ruin it with a bunch of commentary. I’ll simply leave you with this quote from two-time Olympic Gold Medalist Bob Richards:
“Ingenuity, plus courage, plus work, equals miracles.”
That’s it for this Monday Brief. Thanks for reading, and if you think someone else would like this week’s newsletter, please share it with your friends and followers.
Have a great week!
A “web shell” is short-hand for a bit of code that allows bad guys to have remote, persistent access to compromised computers and networks. They tend to be very effective, but also noisy and easily discovered.