FireEye CEO: Reckless Microsoft hack unusual for China

Full Screen
1 / 2

The CEO of FireEye Kevin Mandia gives a tour of the cybersecurity company's unused office space in Reston, Va., Tuesday, March 9, 2021. Mandia said 550 of his employees are working remotely and responding to a recent barrage of cyber breaches, including four different zero-day attacks against Microsoft Exchange. (AP Photo/Nathan Ellgren)

RESTON, Va. – Cyber sleuths have already blamed China for a hack that exposed tens of thousands of servers running Microsoft's Exchange email program to potential hacks. The CEO of a prominent cybersecurity firm says it now seems clear China also unleashed an indiscriminate, automated second wave of hacking that opened the way for ransomware and other cyberattacks.

The second wave, which began Feb. 26, is highly uncharacteristic of Beijing's elite cyber spies and far exceeds the norms of espionage, said Kevin Mandia of FireEye. In its massive scale it diverges radically from the highly targeted nature of the original hack, which was detected in January.

“You never want to see a modern nation like China that has an offense capability — that they usually control with discipline — suddenly hit potentially a hundred thousand systems,” Mandia said Tuesday in an interview with The Associated Press.

Mandia said his company assesses based on the forensics that two groups of Chinese state-backed hackers — in an explosion of automated seeding — installed backdoors known as “web shells” on an as-yet undetermined number of systems. Experts fear a large number could easily be exploited for second-stage infections of ransomware by criminals, who also use automation to identify and infect targets.

Across the globe, cybersecurity teams are scrambling to identify and shore up hacked systems. The National Governors Association sent a rare alert to governors on Tuesday asking them amplify “both the severity of the threat and the next steps” local governments, businesses and operators of critical infrastructure should take.

David Kennedy, CEO of the cybersecurity firm TrustedSec, tweeted Tuesday that resource-demanding programs that “mine” cryptocurrencies were being installed on some compromised Exchange servers.

The White House has called the overall hack an “active threat,” but so far has not urged tough action against China or differentiated between the two waves — at least not publicly. Neither the White House nor the Department of Homeland Security offered comment on whether they attribute the second wave to China.

The assessment of Mandia, who has been dealing with Chinese state-backed hackers since 1995 and has long had the ear of presidents and prime ministers, squares with that of Dmitri Alperovitch, former chief technical officer of CrowdStrike, the other cybersecurity powerhouse in the Washington, D.C., area. Alperovitch says China needs to be immediately put on notice: Shut down those web shell implants and limit collateral.