"It's massive. Absolutely massive," one former national security official with knowledge of the investigation told WIRED. "We're talking thousands of servers compromised per hour, globally."In a press conference Friday afternoon, White House press secretary Jen Psaki warned anyone running the affected Exchange servers to implement Microsoft's patch for the vulnerabilities immediately. "We are concerned that there are a large number of victims and are working with our partners to understand the scope of this," Psaki said in a rare instance of a White House press secretary commenting on specific cybersecurity vulnerabilities. "Network owners also need to consider whether they have already been compromised and should immediately take appropriate steps." That White House advice echoed a tweet from former Cybersecurity and Infrastructure Security Agency director Chris Krebs on Thursday night advising anyone with an exposed Exchange server to "assume compromise" and begin incident response measures to remove the hackers' access.
The affected networks, which likely include those of small and medium-size organizations more than the large enterprises that tend to use cloud-based email systems, appear to have been hacked indiscriminately via automated scanning. The hackers planted a "web shell"—a remotely accessible, web-based backdoor foothold—on the Exchange servers they exploited, allowing them to perform reconnaissance on the target machines and potentially move to other computers on the network.That means only a small number of the hundreds of thousands of hacked servers around the world are likely to be actively targeted by the Chinese hackers, says Volexity founder Steven Adair. Nonetheless, any organization that doesn't take pains to remove the hackers' backdoor remains compromised, and the hackers could reenter their networks to steal data or cause mayhem until that web shell is removed. "A massive, massive number of organizations are getting that initial foothold," says Adair. "It's a ticking time bomb that can be used against them at any point in time."
Though the vast majority of intrusions appear to have consisted only of those web shells, the "astronomical" scale of those global compromises is uniquely disturbing, one security researcher who participated in the investigation told WIRED. The small to medium-size organizations that were compromised include local government agencies, police, hospitals, Covid response, energy, transportation, airports, and prisons. "China just owned the world—or at least everyone with Outlook Web Access," the researcher said. "When was the last time someone was so bold as to just hit everyone?"
Some of the remediation will involve steps that congressional security already performs as a matter of course, like extensively reviewing security camera footage from the House and Senate floor, in hallways, and other spaces to see what intruders did, including what interactions they may have had with electronics.