At first the Chinese hackers ran a careful campaign. For two months, they exploited weaknesses in Microsoft Exchange email servers, picked their targets carefully, and stealthily stole entire mailboxes. When investigators eventually caught on, it looked like typical online espionage—but then things accelerated dramatically.

Around February 26, the narrow operation turned into something much bigger and much more chaotic. Just days later, Microsoft publicly disclosed the hacks—the hackers are now known as Hafnium—and issued a security fix. But by then attackers were looking for targets across the entire internet: in addition to tens of thousands of reported victims in the US, governments around the world are announcing that they were compromised too. Now at least 10 hacking groups, most of them government-backed cyber-espionage teams, are exploiting the vulnerabilities on thousands of servers in over 115 countries, according to the security firm ESET.

While President Joe Biden contemplates retaliating against the Russian hackers whose attack on another software company, SolarWinds, became public in December, the Hafnium hack has become an enormous free-for-all, and its consequences could be even worse. As experts sprint to close the holes opened up by the Chinese hacking, officials say the American government is focused closely on what happens next to thousands of newly vulnerable servers—and how to respond to China.

“The gates are wide open to any bad actor that wants to do anything to your Exchange server and the rest of your network,” says Sean Koessel, vice president at Volexity, the cybersecurity firm that helped discover the hacking activity. “The best case is espionage—somebody who just wants to steal your data. The worst case is ransomware getting in and deploying it across the entire network.”

The distinction between the two attacks is not just about technical details, or even which country committed them. Although 18,000 companies downloaded the compromised SolarWinds software, the number of genuine targets was just a fraction that size. Hafnium, meanwhile, was far more indiscriminate.

“Both started out as espionage campaigns, but the difference really is how they were conducted,”  says Dmitri Alperovitch, chairman at the Silverado Policy Accelerator. “The Russian SolarWinds campaign was very carefully done, where the Russians went after the targets they cared about and they shut down access everywhere else, so that neither they nor anyone else could get into those targets that were not of interest.” 

“Contrast that with the Chinese campaign,” he says. 

“On February 27, they realize the patch is going to come out, and they literally scan the world to compromise everyone. They left web shells that can now enable others to get into those networks, potentially even ransomware actors. That’s why it’s highly reckless, dangerous, and needs to be responded to.”

Exploitation en masse

The beginning of the Hafnium campaign was “very under the radar,” says Koessel.

The hacking was missed by most security checks: it was only spotted when Volexity noticed strange and specific internet traffic requests to the company’s customers who were running their own Microsoft Exchange email servers. 

A month-long investigation showed that four rare zero-day exploits were being used to steal entire mailboxes—potentially devastating for the individuals and companies involved, but at this point there were few victims, and the damage was relatively limited. Volexity worked with Microsoft for weeks to fix the vulnerabilities, but Koessel says he saw a major change at the end of February. Not only did the number of victims start to rise, but there was also an increase in the number of hacking groups.

It’s not clear how multiple government hacking groups became aware of the zero-day vulnerabilities before Microsoft made any public announcement. So why did the extent of the exploitation explode? Perhaps, some suggest, the hackers may have realized their time was almost up. If they did know a patch was coming, how did they find out? 

“I think it is very uncommon to see so many different [advanced hacking] groups having access to the exploit for a vulnerability while the details are not public,” says Matthieu Faou, who leads research into the Exchange hacks for ESET. “There are two major possibilities,” he says. Either “the details of the vulnerabilities were somehow leaked to the threat actors,” or another vulnerability research team working for the threat actors “independently discovered the same set of vulnerabilities.”

Volexity watched Hafnium lurk inside networks for a month, and took steps to kick them out before Microsoft issued a patch. That could have been the trigger that made Hafnium escalate. Or, Alperovitch suggests, the hackers could have figured out another way that a patch was coming—security teams all around the industry, including those at Microsoft, regularly exchange information about vulnerabilities and fixes in advance. Once Microsoft made the public announcement, even more hacking groups joined the fray.

“The day after the release of the patches, we started to observe many more threat actors scanning and compromising Exchange servers en masse,” says Faou. All except one of the active hacking groups are known government-backed hacking teams focused on espionage. “However, it is inevitable that more and more threat actors, including ransomware operators, will have access to the exploits sooner or later,” he says.

As the activity ramped up, Volexity saw another change in behavior: hackers left web shells as they broke into these systems. These are simple hacking tools that allow persistent, remote back-door access to infected machines so the hacker can control them. They can be effective, but they are also relatively noisy and easy to spot. 

Once hackers drop a shell on a machine, they can keep coming back until it’s been cleaned up—even fixing the vulnerabilities originally at fault won’t clean up the shells. But the web shell itself is barely secured and can be co-opted by other hackers—first to break into the Exchange servers and steal emails, and then to attack entire networks.

“It’s a door with a lock that’s easily picked,” says Alperovitch, a cofounder of the security firm CrowdStrike who left the company last year.

A different challenge

The hacking continues to ramp up. Microsoft took the rare step on Monday of releasing security patches for unsupported versions of Exchange that would normally be too old to secure—athe  sign of how severe the company believes the attack is. Microsoft has declined to comment.

While the White House weighs a response, the risk grows. The Biden administration is slowly dealing with the sophisticated espionage of SolarWinds, but the chaos of the Hafnium hacks presents a different challenge entirely—both in fixing the problem and responding to hackers behind it.

“There needs to be a message that is sent to the Chinese that this is unacceptable,” Alperovitch argues. The US needs to make it clear “that we’re going to hold them accountable for any damage that results from criminal actors leveraging this access,” he says, “and we need to push them to remove those web shells from all the victims ASAP.”

By ASNF