5 years after major Microsoft Exchange break-in: Chinese arrested
Hundreds of thousands of MS Exchange servers were hacked in 2020-2021. Now the USA wants to put a Chinese man on trial for this. He is located in Italy.
(Image: Photon photo/Shutterstock.com)
The US Department of Justice reports a successful manhunt in the case of the attacks on Microsoft Exchange servers carried out worldwide in 2020 and 2021: Italy has arrested the Chinese citizen Xu Z. in Milan. The USA is seeking his extradition. A US indictment published on Tuesday accuses the 33-year-old and his 44-year-old compatriot of being involved in the wave of attacks. Also charged are two as yet unnamed spies from the People's Republic, who are said to have guided the two perpetrators.
Although they are said to have been employed by a Chinese company, they were actually acting on behalf of Chinese state security. The aim of the attacks on the Exchange servers was allegedly to spy on research results on the coronavirus, which has caused the global COVID-19 pandemic. The allegations have not yet been proven, and the two defendants are presumed innocent.
The wave of attacks
According to the indictment, the targeted attacks against universities, immunologists, and virologists began as early as February 2020. At the end of 2020, the perpetrators began exploiting then still unknown vulnerabilities in Microsoft Exchange Server to penetrate it and install permanent backdoors (Advanced Persistent Threats, APT). At the beginning of January 2021, the security firm Volexity noticed attacks on Exchange servers. Even before Microsoft was able to plug the gaps, the attacks were intensified at the end of February 2021 and became more widespread to be able to install a backdoor on as many systems as possible.
Videos by heise
When Microsoft released security updates at the beginning of March 2021, the attacks were intensified once again. Apparently, the attackers wanted to quickly embed themselves in as many systems as possible before the gaps were closed. The attacks hit government agencies, defense companies, research institutions conducting research on COVID-19, and other companies in the USA.
More than 100,000 Exchange servers are said to have been affected in the USA, and several tens of thousands in Germany. The German Federal Office for Information Security (BSI) assumed that all Exchange systems that were not secured were infected with a backdoor. According to estimates by the British Foreign Office and the National Cyber Security Center, more than a quarter of a million servers worldwide are thought to have been compromised.
The indictment
The group of perpetrators became known in IT security circles as Hafnium. As early as 2021, the USA, the European Union, and other allies at the time identified the People's Republic of China as the mastermind. Beijing denied the allegations.
In legal terms, the indictment contains nine charges. The charges include intentional damage to protected computers, obtaining information by unauthorized access to protected computers, aggravated impersonation, fraud by use of telecommunications, and conspiracy in each case. Conspiracies are easier to prove because it does not matter which member of a group of perpetrators actually realizes or is responsible for which aspect of the crime. Only the unlawful participation is decisive.
The case is pending in the US Federal District Court for Southern Texas under case number 4:23-cr-00523.
(ds)
