US, UK authorities say Russian state-sponsored hackers exploited Microsoft vulnerabilities

Russian state-sponsored hackers were among those to exploit recently uncovered vulnerabilities in Microsoft’s Exchange Server email application, which potentially compromised thousands of organizations, a coalition of American and British federal agencies warned Friday.

The finding was part of a joint advisory released Friday by the FBI, the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre that detailed cybersecurity tactics and techniques Russia’s Foreign Intelligence Service, or SVR, uses to hack global organizations.

The agencies warned that the SVR had been “observed making use of numerous vulnerabilities, most recently the widely reported Microsoft Exchange vulnerability,” and that the Russian hackers deploy webshells on servers they are able to breach, along with using them for “further exploits.”

The agencies also stressed in the advisory, written by British authorities, that the SVR is “a technologically sophisticated and highly capable cyber actor” that had “developed capabilities to target organisations globally, including in the UK, US, Europe, NATO member states and Russia’s neighbours.”

Microsoft in March announced it had uncovered previously unknown vulnerabilities in its Exchange Server program, and that at least one Chinese state-sponsored hacking group was exploiting the vulnerabilities to access thousands of organizations around the world for at least two months prior to discovery. 

CISA issued an emergency directive in March ordering all federal agencies to immediately investigate, patch or disconnect their systems from Microsoft Exchange Server. The Biden administration also took action, convening a “unified coordination” group consisting of the FBI, CISA, NSA and the Office of the Director of National Intelligence to respond to the hack. 

The incident came on the heels of the SolarWinds hack, first discovered late last year, which involved Russian hackers compromising software from the IT group to breach nine federal agencies and at least 100 private sector groups. 

The joint advisory was issued almost a month after President Biden — along with Five Eyes intelligence sharing partners the U.K., Canada, New Zealand, and Australia — formally attributed the SolarWinds hack to the Russian SVR.  

The U.S. issued a sweeping set of sanctions against Russia as a result of the attribution and expelled 10 personnel from the Russian diplomatic mission in Washington, D.C.. Russia responded by banning many top Biden administration officials from entering the country and requesting that some senior U.S. diplomats leave the country. 

Biden, who will soon sign an executive order aimed at improving federal cybersecurity, described the sanctions during a speech in April as “proportionate” measures to respond to both the SolarWinds incident and Russia’s interference in U.S. elections. 

“The United States is not looking to kick off a cycle of escalation and conflict with Russia,” Biden said during remarks at the White House last month. “We want a stable, predictable relationship. If Russia continues to interfere with our democracy, I am prepared to take further actions to respond.”