No signs yet of Exchange Server compromises at federal agencies, CISA says

It's a welcome reprieve for federal officials trying to respond to the hacking bonanza.
Acting CISA Director Brandon Wales (left) and CISA Executive Assistant Director Eric Goldstein testify remotely before a House Appropriation subcommittee on March, 10, 2021. (CyberScoop)

U.S. officials have yet to find any signs that federal civilian agencies have been breached in recent widespread exploitation of Microsoft software, a senior Department of Homeland Security official told lawmakers Wednesday.

The “vast majority” of civilian agencies have addressed vulnerabilities in the Exchange Server email software following an emergency directive from DHS’s Cybersecurity and Infrastructure Security Agency (CISA), said Eric Goldstein, the agency’s executive assistant director for cybersecurity. But Goldstein cautioned in  testimony before a House Appropriations subcommittee that the malicious cyber activity is “an evolving campaign, with new information coming in by the hour.”

The news is a welcome reprieve for federal officials who have been consumed with responding to the critical Exchange Server flaws amid reports that tens of thousands of U.S. state and local government organizations and small businesses could be affected.

Microsoft disclosed the vulnerabilities on March 2 while accusing a Chinese government-linked hacking group of exploiting the flaws to steal emails from target organizations (Beijing denies the allegations). But the security concerns have grown more pressing since, as researchers worry that cybercriminals could take advantage of the vulnerabilities to deploy ransomware. The hacking bonanza is a global issue, with researchers reporting Wednesday that several China-linked hacking groups have exploited the bugs in campaigns on various continents.  


The state and local organizations besieged by the Exchange Server vulnerabilities are often strapped for security resources needed to recover from such hacking incidents. The National Governors Association has shared information about the threat with CISA, and the association will “continue to monitor the situation and provide guidance as necessary,” an NGA spokesperson said Monday.

The Exchange Server hacking comes as federal officials are still recovering from a sweeping suspected Russian espionage campaign that exploited software made by federal contractor SolarWinds, among other vendors. Nine U.S. federal agencies have been infiltrated, according to U.S. officials, and President Joe Biden has ordered a U.S. intelligence community assessment of the breaches.

Brandon Wales, CISA’s acting director, told lawmakers Wednesday that both the supply-chain breach involving SolarWinds and the Exchange Server breaches are proof that the U.S. government “must raise our game” in cybersecurity.

“We need cybersecurity tools and services that provide us a better chance of detecting the most sophisticated attacks,” Wales said. “And we need to rethink our approach to managing  cybersecurity across 101 federal civilian executive branch agencies.”

The $1.9 trillion coronavirus relief package that Congress cleared on Wednesday includes some $650 million in additional funding for CISA.


U.S. officials have previously said the hacking exploiting SolarWinds is “likely Russian in origin.” Wales said Wednesday that additional details on that attribution will be made public “soon.” Moscow has denied involvement.

Greg Touhill, a former federal chief information security officer, echoed Wales’ assessment.

“All of these things point toward the need to make zero-trust an overarching strategic initiative for this administration,” Touhill told CyberScoop, referring to a security principle that assumes networks will be breached in an effort to mitigate the damage. 

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts