At least 10 APT hacking groups have exploited Exchange Server bugs, ESET warns

It's a feeding frenzy.
ESET, RSA 2019
Researchers at Slovakian anti-virus company ESET made the discovery. (Scoop News Group photo)

Critical vulnerabilities in Microsoft software have turned into a feeding frenzy for state-linked hackers.

At least 10 such hacking groups have exploited the flaws in the Exchange Server email program in recent days in operations around the world, anti-virus firm ESET said Wednesday. Many of the groups have well-documented links to China.

The surge in hacking suggests multiple sets of espionage groups had access to the software exploit before Microsoft released fixes for it on March 2. It also compounds the challenges facing incident responders who are rushing to deal with the breaches, and bracing for additional exploitation of the bugs by criminal hackers.

“It is still unclear how the distribution of the exploit happened, but it is inevitable that more and more threat actors, including ransomware operators, will have access to it sooner or later,” ESET researchers wrote in a blog post Wednesday.


The intrusions by advanced persistent threat groups tracked by ESET include a hack of a Middle East government email server by Beijing-linked APT27, as well as breach of an East Asia-based IT provider by another suspected Chinese group, Bronze Butler. The notorious Winnti Group, another broad set of hacking activity linked with China, has broken into the servers of oil and construction firms in East Asia, according to ESET.

In the U.S. the Biden administration has scrambled to address the Exchange Server exploitation as tens of thousands of state and local government organizations and businesses appear to be vulnerable. A White House official said Monday that “high levels” of the National Security Council were responding to the crisis.  

Microsoft has taken the unusual step of issuing security fixes for older, unsupported versions of Exchange Server to try to blunt the impact of the hacking,

Cybersecurity officials from other governments were also grappling with a problem that shows no signs of abating, German officials said Monday that the country had 26,000 instances of the vulnerable Exchange Server software sitting on the internet. The Norwegian parliament, meanwhile, said Wednesday that unidentified hackers had used the Exchange bugs to break into the legislative body’s IT systems and steal data.

The potential for ransomware actors and other opportunistic criminals to enter the fray has IT experts concerned. Dave Kennedy, founder of security firm TrustedSec, said Tuesday that cryptocurrency miners were being installed on vulnerable servers, signaling and expansion of criminal activity exploiting the situation.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts