The Future Is Here
We may earn a commission from links on this page

Hackers Are Swarming Microsoft Exchange

We may earn a commission from links on this page.
Image for article titled Hackers Are Swarming Microsoft Exchange
Photo: Jeenah Moon (Getty Images)

Those Microsoft Exchange security flaws you may have heard about are really getting pummeled. If ever there was a time for cybersecurity reporters to trot out metaphors involving phrases like “blood in the water” and maybe “deranged swarm of piranhas,” it might be right now.

At least 10 separate advanced persistent threat actors (a fancy term for well-organized hacker groups) are targeting the email product’s vulnerabilities, according to a recent report from security firm ESET. This is contrary to what Microsoft initially said, which is that the flaws were mainly being targeted by one group, a “state-sponsored” threat actor located in China that they are calling “HAFNIUM.”


Instead, ESET reports that Exchange is basically getting pillaged by close to a dozen different groups, all of which have names that sound like bad gamertags, including Tick, LuckyMouse, Calypso, Websiic, Winnti, TontoTeam, Mikroceen and DLTMiner. There are also apparently two other hacker groups that have not yet been identified. So, yeah, it’s a pretty big mess.


The hacking seems to have picked up directly after Microsoft released its patches, too, as ESET’s report states that “the day after the release of the patch” security researchers “started to see many more threat actors (including Tonto Team and Mikroceen) scanning and compromising Exchange servers en masse.”

A new report from security researchers with DomainTools has also thrown cold water on the idea that “HAFNIUM” is actually a hacker group associated with the Chinese government. So, on top of everything else, it’s not even clear who or what “HAFNIUM” is:

“While such a link [to the PRC] is certainly possible and has not been ruled out, as of this writing no conclusive evidence has emerged linking HAFNIUM operations to the People’s Republic of China (PRC). And HAFNIUM is also far from the only entity assessed to be targeting this vulnerability.”

Who is getting targeted? According to a warning from the FBI published Wednesday, it would appear the answer is: pretty much everybody.

Threat actors have targeted local governments, academic institutions, non-governmental organizations, and business entities in multiple industry sectors, including agriculture, biotechnology, aerospace, defense, legal services, power utilities, and pharmaceutical.


While the entities in the U.S. said to be affected number 30,000 or more, it’s so far been a slow trickle of disclosures—though local governments and small businesses are thought to be some of the more heavily targeted. On Wednesday, U.S. officials said that, so far, there is no evidence of federal executive agencies having been compromised by the attacks.