Multiple hacking groups exploited vulnerabilities in Microsoft Exchange to gain “long-term access” to the server of an unnamed defense company.

The attackers, who had been exploiting the vulnerability as early as January 2021, stole what Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly called sensitive data — the company’s email, meetings, contacts, and other records. 

In a Cybersecurity Advisory (CSA), CISA, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) highlighted this advanced persistent threat (APT) activity observed on a Defense Industrial Base (DIB) sector organization’s enterprise network.

APT actors used the open-source toolkit, Impacket, to gain a foothold within the environment and data exfiltration tool, CovalentStealer, to steal the victim’s sensitive data.

According to CISA, the APT cyber actors used virtual private network (VPN) and virtual private server (VPS) providers, M247 and SurfShark, as part of their techniques to remotely access the Microsoft Exchange server. Use of these hosting providers, which serves to conceal interaction with victim networks, are common for these threat actors, CISA says.

According to CISA’s analysis of the victim’s Microsoft Exchange server Internet Information Services (IIS) logs, the actors used the account of a former employee to access the EWS, which enables access to mailbox items such as email messages, meetings, and contacts. The source IP address for these connections is mostly from the VPS hosting provider, M247.

Tom Kellermann, CISM, senior vice president of cyber strategy at Contrast Security, who served on the Commission on Cybersecurity for President Barack Obama’s administration which worked on assessing and improving U.S. cyber infrastructure, says that the national security implications of this espionage campaign are significant. “The Chinese threat actor behind this intrusion represents their “A team.” With tensions simmering over Taiwan, we presume more of these infiltrations are occurring. The likelihood of them island hopping through the victim organization into military networks is high. Expanded threat hunting across Microsoft exchange servers and their administrators’ endpoints are imperative. My biggest concern is whether the integrity of the data was manipulated post-exploitation.”

The joint CSA provides APT actors tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) identified during the incident response activities by CISA and a third-party incident response organization. 

The CSA includes detection and mitigation actions to help organizations detect and prevent related APT activity. CISA, FBI, and the NSA recommend DIB sector and other critical infrastructure organizations implement the mitigations in this CSA to ensure they are managing and reducing the impact of cyber threats to their networks.