WASHINGTON (BLOOMBERG) - China's global attack on Microsoft's popular e-mail software revealed last week and an equally sprawling Russian attack discovered three months ago have created a two-front war that threatens to overwhelm cyber security's emergency responders, according to former US officials and private security firms.
The coincidence of two far-reaching hacking campaigns launched by Russia and China, discovered just weeks apart, is now rippling across the global economy - swamping insurers, IT staff, and firms that specialise in hunting and ejecting hackers.
The twin hacking campaigns involve the US' two most powerful cyberspace adversaries, and both have led to emergency meetings of the White House National Security Council, in part because of the unusually wide net cast by the attackers.
But for the tens of thousands of companies that have been impacted by one or another of the attacks, the one-two punch has left them scrambling to secure their computer systems - in some cases from hackers who are piling on the original nation-state attacks.
"It's a race," said Mr Tom Burt, Microsoft's corporate vice-president for customer security and trust. "Since the time we went public with the update's availability, we've seen the number of compromised customers just explode. It went up incredibly rapidly and continues to increase."
Microsoft Corp disclosed on March 2 that suspected Chinese state-sponsored hackers were exploiting four previously unknown vulnerabilities in the company's widely used Exchange business e-mail software and issued a patch for those systems.
Since that disclosure, other hackers have used automated programs to scan the Internet, in some cases looking for companies that have yet to install the fix. Some of those are criminal groups trying to repurpose secret entry points that China installed in its numerous victims, according to cyber-security companies monitoring the aftermath.
The close proximity of the Chinese and Russian attacks may not be a coincidence, security experts say. China may have timed its effort to take advantage of the distraction created by the Russian hack, which impacted as many as 18,000 customers of the Texas-based software maker SolarWinds Corp, including key government agencies.
"The attack on Microsoft Exchange is a cold and calculated assault," said Mr Lior Div, co-founder and chief executive officer of Cybereason, a Boston-based security company. "The Chinese attackers know exactly what they are doing. The new administration has been distracted by investigations into another US adversary on the cyber battlefield - Russia - and its calculated breach against SolarWinds."
A White House spokesman said on Monday (March 8) that high-level members of US President Joe Biden's National Security Council worked through the weekend responding to the latest incident.
And the US Cybersecurity and Infrastructure Security Agency, in an emergency advisory on Monday, described hackers' exploitation of the flaws in Microsoft's e-mail product as now "widespread and indiscriminate".
For months before they were caught in December, Russian state hackers used altered SolarWinds software to spy on at least nine US government agencies and hundreds of companies. China's hack has already claimed 60,000 victims globally, Bloomberg reported last Saturday, though some estimates have put the number of Exchange servers that could be vulnerable to infection at close to 300,000 worldwide.
"I can't think of an equivalent breach," Mr Alex Stamos, a cyber-security consultant and the former head of security at Facebook, said of the Chinese attack. "It's a combination of the kind of mass-exploitation you often see with unpatched home routers, but instead of crypto-miners who are having no impact, these attackers are able to get all an organisation's e-mail."
One victim of the most recent attack is the European Banking Authority, which said on Monday that it had shut down its e-mail systems while it carried out an investigation into a "cyber attack" on its Microsoft Exchange servers.
Mr Radu Burghelea, head of information technology, confirmed that the organisation had discovered malicious software on the servers but not yet detected the theft of any e-mails from them.
The tactics used by China in particular leave victims vulnerable to other hackers. Victims could have their IT systems locked up by ransomware gangs, the personal information of their customers and employees stolen and sold to identity thieves, or their computers used to attack others.
"Currently, most of what we have observed has been automated scanning and reconnaissance," said Mr Mat Gangwer, a senior director of managed threat response for Sophos Ltd, a British cyber-security company. "The real question will be, are these organisations able to patch, assess and clean their environments before more harmful actors, such as ransomware groups, begin leveraging" the malicious code that's been installed on the servers, he added.
That job will fall to specialised security firms and in-house IT staff that are already exhausted from weeks of fighting off Russia's sprawling and sophisticated attack.
"What makes it even harder is that defenders are experiencing successive waves of attacks, and many have not been able to restore their environments to a safe operating condition, even though things may 'seem' normal," said Mr Michael Henry, chief executive officer of Texas-based Arbala Security Inc, describing his work with clients dealing with back-to-back issues of SolarWinds and now the Exchange server vulnerabilities.
In the most recent incident, companies can install the patch issued last week by Microsoft, but that does not mean the hackers will be gone. In some cases, specialised teams will need to scour the infected computer systems, looking for hidden entry points planted by the hackers in order to shut them out.
FireEye Inc, a large US cyber-security firm, is now responding to dozens of cases in the US, Europe and Asia in attacks involving the flawed Microsoft code. Still, with not enough experts available from FireEye and other firms, the impact of the latest wave of attacks could linger for weeks or even months.
"There will be backdoors sitting on Exchange servers for quite a while," said Mr Charles Carmakal, senior vice-president at FireEye.