Skip to main content

Microsoft was warned months ago — now, the Hafnium hack has grown to gigantic proportions

Microsoft was warned months ago — now, the Hafnium hack has grown to gigantic proportions

/

The White House is calling it an active threat, promising a ‘whole of government response’

Share this story

If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

Illustration by Alex Castro / The Verge

On Friday, cybersecurity journalists Brian Krebs and Andy Greenberg reported that as many as 30,000 organizations had been compromised in an unprecedented email server hack, believed to have originated from a state-sponsored Chinese hacking group known as Hafnium.

Over the weekend, that estimate has doubled to 60,000 Microsoft Exchange Server customers hacked around the world, with the European Banking Authority now admitting that it’s one of the victims — and it looks like Microsoft may have taken a little too long to realize the severity and patch it. Krebs has now put together a basic timeline of the massive Exchange Server hack, and he says Microsoft has confirmed it was made aware of the vulnerabilities in early January.

That’s nearly two months before Microsoft issued its first set of patches, alongside a blog post that didn’t explain the scope or scale of the attack. Originally, it was even planning to wait for one of its standard Patch Tuesdays but relented and pushed it out a week early.

Now, MIT Technology Review reports Hafnium may not be the only threat, citing a cybersecurity analyst who claims there appear to be at least five hacking groups actively exploiting the Exchange Server flaws as of Saturday. Government officials are reportedly scrambling to do something, with one state official telling Cyberscoop that it’s “a big F’ing deal.”

More diplomatically, White House press secretary Jen Psaki called it “an active threat,” drawing more attention to the emergency directive that the Department of Homeland Security’s cybersecurity agency sent out March 3rd. White House national security adviser Jake Sullivan has warned about it as well, as has former Cybersecurity and Infrastructure Security Agency director Christopher Krebs and the White House National Security Council.

At this point, the message should be clear that anyone who installed a local Microsoft Exchange Server (2010, 2013, 2016, or 2019) needs to patch and scan, but we’re only beginning to understand the scope of the damage. Hackers reportedly installed malware that can let them right back into those servers again, and we don’t yet know what they might have already taken.

“We are undertaking a whole of government response to assess and address the impact,” reads part of an email from a White House official, according to Bloomberg.

Microsoft declined to comment about the timing of its patches and disclosures, pointing us to a previous statement instead: “We are working closely with the CISA, other government agencies, and security companies, to ensure we are providing the best possible guidance and mitigation for our customers. The best protection is to apply updates as soon as possible across all impacted systems. We continue to help customers by providing additional investigation and mitigation guidance. Impacted customers should contact our support teams for additional help and resources.”

Update, 4:27PM ET: Added Microsoft’s decline to comment, and earlier statement.

Today’s Storystream

Feed refreshed Two hours ago The tablet didn’t call that play by itself

T
Thomas RickerTwo hours ago
The Simpsons pays tribute to Chrome’s dino game.

Season 34 of The Simpsons kicked off on Sunday night with an opening credits “couch gag” based on the offline dino game from Google’s Chrome browser. Cactus, cactus, couch, d’oh! Perfect.


T
Youtube
Thomas Ricker7:29 AM UTC
Table breaks before Apple Watch Ultra’s sapphire glass.

”It’s the most rugged and capable Apple Watch yet,” said Apple at the launch of the Apple Watch Ultra (read The Verge review here). YouTuber TechRax put that claim to the test with a series of drop, scratch, and hammer tests. Takeaways: the titanium case will scratch with enough abuse, and that flat sapphire front crystal is tough — tougher than the table which cracks before the Ultra fails — but not indestructible.


E
Twitter
Emma RothSep 25
Rihanna’s headlining the Super Bowl Halftime Show.

Apple Music’s set to sponsor the Halftime Show next February, and it’s starting out strong with a performance from Rihanna. I honestly can’t remember which company sponsored the Halftime Show before Pepsi, so it’ll be nice to see how Apple handles the show for Super Bowl LVII.


Welcome to the new Verge

Revolutionizing the media with blog posts

Nilay PatelSep 13
E
Twitter
Emma RothSep 25
Starlink is growing.

The Elon Musk-owned satellite internet service, which covers all seven continents including Antarctica, has now made over 1 million user terminals. Musk has big plans for the service, which he hopes to expand to cruise ships, planes, and even school buses.

Musk recently said he’ll sidestep sanctions to activate the service in Iran, where the government put restrictions on communications due to mass protests. He followed through on his promise to bring Starlink to Ukraine at the start of Russia’s invasion, so we’ll have to wait and see if he manages to bring the service to Iran as well.


E
External Link
Emma RothSep 25
We might not get another Apple event this year.

While Apple was initially expected to hold an event to launch its rumored M2-equipped Macs and iPads in October, Bloomberg’s Mark Gurman predicts Apple will announce its new devices in a series of press releases, website updates, and media briefings instead.

I know that it probably takes a lot of work to put these polished events together, but if Apple does pass on it this year, I will kind of miss vibing to the livestream’s music and seeing all the new products get presented.


E
External Link
Emma RothSep 24
California Governor Gavin Newsom vetoes the state’s “BitLicense” law.

The bill, called the Digital Financial Assets Law, would establish a regulatory framework for companies that transact with cryptocurrency in the state, similar to New York’s BitLicense system. In a statement, Newsom says it’s “premature to lock a licensing structure” and that implementing such a program is a “costly undertaking:”

A more flexible approach is needed to ensure regulatory oversight can keep up with rapidly evolving technology and use cases, and is tailored with the proper tools to address trends and mitigate consumer harm.


A
Youtube
Andrew WebsterSep 24
Look at this Thing.

At its Tudum event today, Netflix showed off a new clip from the Tim Burton series Wednesday, which focused on a very important character: the sentient hand known as Thing. The full series starts streaming on November 23rd.


A
The Verge
Andrew WebsterSep 24
Get ready for some Netflix news.

At 1PM ET today Netflix is streaming its second annual Tudum event, where you can expect to hear news about and see trailers from its biggest franchises, including The Witcher and Bridgerton. I’ll be covering the event live alongside my colleague Charles Pulliam-Moore, and you can also watch along at the link below. There will be lots of expected names during the stream, but I have my fingers crossed for a new season of Hemlock Grove.


A
Andrew WebsterSep 24
Looking for something to do this weekend?

Why not hang out on the couch playing video games and watching TV. It’s a good time for it, with intriguing recent releases like Return to Monkey Island, Session: Skate Sim, and the Star Wars spinoff Andor. Or you could check out some of the new anime on Netflix, including Thermae Romae Novae (pictured below), which is my personal favorite time-traveling story about bathing.


A screenshot from the Netflix anime Thermae Romae Novae.
Thermae Romae Novae.
Image: Netflix