Victims of Microsoft Exchange Server zero-days emerge

Affected organizations are cropping up in the Czech Republic and Norway.
Prague, Czech Republic
A city view with the skyline seen from Prague Castle complex. (Kaveh Kazemi/Getty Images)

The list of victims potentially affected by Microsoft zero-day flaws is growing by the day.

The email systems of the city of Prague and the Czech Republic’s Labour Ministry have been impacted in recent days in hacking incidents, government officials said Thursday. The Czech Office for Cyber and Information Security confirmed it is responding to attacks caused by the zero-days, while Norway’s National Security Authority also warned victims were cropping up in Norway earlier this week.

The steady flow of announcements of email hacking should come as no surprise after the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) warned of the “likelihood of widespread exploitation” of vulnerabilities that Microsoft revealed earlier this week. The bugs were first exploited in an apparent espionage operation run by a Chinese state-sponsored group interested in accessing email accounts and targeting victims with malware in order to establish long-term data collection capabilities, according to Microsoft.

U.S. defense contractors, think tanks and international aid organizations have also reportedly been impacted, according to Volexity, which has investigated compromises extending from these vulnerabilities.


Researchers at FireEye’s threat intelligence division Mandiant said in a blog post published Thursday they have observed the attackers in at least one client environment.

In some spying operations, hackers have stolen entire contents of user mailboxes, Volexity said.

Now that the vulnerabilities and their patches have been announced, it’s likely that other hackers, nation-states and criminals alike, will move to take advantage of those organizations that don’t patch quickly, Tom Burt, Microsoft’s corporate vice president for customer trust & security, warned this week. Mandiant also said it expects “additional clusters” of activity to emerge in the coming days.

It was not clear if the suspected Chinese hackers, which Microsoft calls “Hafnium,” or other hackers were responsible for the hacking in the Czech Republic and Norway.

It was not immediately clear if the email hacking incidents in Prague and at the Czech Republic’s Labour Ministry were caused by exploitations of the zero-day flaws, but the government is investigating possible links, according to a person familiar with the probe.


Investigators are probing whether the attempted compromises of email systems at the Czech Labor Ministry and the City of Prague are related to the Exchange Server vulnerabilities, the person said.

In a rare statement, the Biden administration’s national security adviser, Jake Sullivan, acknowledged the security issue on Thursday, warning all network owners to address the Microsoft Exchange Server zero-days with the patch.

“We are closely tracking Microsoft’s emergency patch for previously unknown vulnerabilities in Exchange Server software and reports of potential compromises of U.S. think tanks and defense industrial base entities,” Sullivan said in a tweet. “We encourage network owners to patch ASAP.”

Sullivan’s tweet comes as the Biden administration is simultaneously grappling with the fallout from the breach at SolarWinds, a U.S. federal contractor that was ensnared in a suspected Russian espionage operation affecting federal agencies and the private sector.

While the attacks don’t appear to be linked, according to Microsoft, both the SolarWinds breach and the suspected Chinese spying operation represent an increasingly urgent dilemma for the federal government. Both operations are believed to have been launched from within the U.S., a step which likely helped both the suspected Russian and Chinese hackers evade detection. (The alleged Chinese hackers had apparently leased virtual private servers in the U.S., according to Microsoft.)


As part of their response to the SolarWinds breach, in which suspected Russian hackers laced malware through a product’s software update, lawmakers on Capitol Hill have been working to better understand how the federal government and the private sector can better block and prevent state-backed hackers from sneaking in to U.S. companies and federal agencies unabated.

Sean Lyngaas contributed reporting.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts