Microsoft warns of state-sponsored Chinese hackers exploiting multiple zero-days

it's a reminder of the formidable Chinese cyber capabilities with which the Biden administration will have to contend.
Microsoft booth at Web Summit Lisbon, 2019.
(Web Summit / Flickr)

A Chinese government-backed hacking group has been using previously unknown software exploits in “limited and targeted” data-stealing attacks on organizations that use a popular email software program, Microsoft warned Tuesday.

The culprit, Microsoft said, is a group of China-based hackers dubbed Hafnium that the technology giant is discussing publicly for the first time. Hafnium has previously tried to hack U.S.-based infectious disease researchers, defense contractors and educational institutions. Microsoft said the group’s latest campaign has gone after similar targets.

The attackers have exploited multiple so-called “zero day” bugs in the Microsoft Exchange Server software in an apparent espionage campaign, Microsoft said. Zero day flaws are so-named because security staffers were likely unaware of the issue, and thus have had zero days to create a fix. Breaking into Exchange Server could offer the attackers access to any sensitive communications that a business has conducted by email.

“We strongly encourage all Exchange Server customers to apply these updates immediately,” Microsoft vice president Tom Burt said in a statement. “Exchange Server is primarily used by business customers, and we have no evidence that Hafnium’s activities targeted individual consumers or that these exploits impact other Microsoft products.”


The security implications of the disclosure go well beyond the targeted victim organizations. Microsoft’s announcement allows other organizations to apply fixes for the software flaws, but could also set off a race among other state-sponsored actors or criminal groups to exploit unpatched systems.

After accessing the Exchange software, the attackers planted malicious code to facilitate long-term access to victim machines, according to Microsoft. And as Russian hackers have previously done, the suspected Chinese attackers used U.S. computing infrastructure, including virtual private servers, to cloak their operations.

The suspected Chinese hackers used one of the vulnerabilities to “steal the full contents of several user mailboxes,” according to Volexity, a cybersecurity firm that investigated the breaches.

That particular bug in Exchange “is remotely exploitable and does not require authentication of any kind, nor does it require any special knowledge or access to a target environment,” Volexity said in a blog post Tuesday. “The attacker only needs to know the server running Exchange and the account from which they want to extract e-mail.”

The announcement is a reminder that, as the Biden administration prepares to confront Russia over the espionage campaign involving software built by the U.S. contractor SolarWinds, China’s cyber capabilities also pose a formidable challenge.  


Despite a series of U.S. Justice Department indictments of alleged China-backed hackers over several years, evidence of Beijing’s hacking operations continues to surface. The Chinese government routinely rejects allegations that it conducts cyberattacks.

Tuesday’s announcement is part of a Microsoft strategy to regularly out state-sponsored hacking campaigns in hopes of protecting its customers and other software vendors.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts