Administration to release attribution for Microsoft vulnerabilities in ‘coming weeks’

The Biden administration is working to formally attribute the exploitation of vulnerabilities in Microsoft’s Exchange Server application, which left thousands of organizations vulnerable to attack, “in the coming weeks,” a top official said Tuesday.

“I think you saw the national security adviser Jake Sullivan say that we will attribute that activity, and along with that of course determine what needs to do as a follow up from that and I think you’ll be seeing further on that in the coming weeks,” Anne Neuberger, the deputy national security advisor for cyber and emerging technology, said during a virtual event hosted by the Silverado Policy Accelerator. 

Neuberger’s comments came months after Microsoft announced the discovery of new vulnerabilities in its Exchange Server program, and assessed with “high confidence” that a hacking group known as “HAFNIUM,” a Chinese state-sponsored group, was exploiting these vulnerabilities.

According to Neuberger, around 140,000 organizations were left vulnerable to attack by HAFNIUM or other hacking groups. Tuesday, the official praised Microsoft for quickly releasing a patch that reduced this number to less than 10 vulnerable groups in a week. 

“The Microsoft Exchange vulnerability was a very significant area of concern,” Neuberger said.

Sullivan in March told reporters during a White House briefing that while the administration was not in a position to attribute the hacking incident to China or any other nation at the time, they would do so “in the near future.”

“We won’t hide the ball on that, we will come forward and say who we believe perpetrated the attack,” Sullivan said in March. 

The vulnerabilities in Microsoft’s Exchange Server were also exploited by Russian state-sponsored hackers according to a joint advisory released in May by U.S. and United Kingdom authorities. 

The vulnerabilities in the Exchange Server application were discovered less than three months after the SolarWinds hack was found. SolarWinds involved Russian state-sponsored hackers who compromised nine U.S. federal agencies and 100 private sector groups to conduct espionage for a year.

President Biden in April formerly levied a sweeping set of sanctions on Russia in retaliation for the SolarWinds hack and for election interference efforts. Discussion of U.S. concerns around Russian malign efforts in cyberspace were a key topic of conversation between Biden and Russian President Vladimir Putin at their in-person summit in Switzerland earlier this month. 

The Biden administration is also taking measures to shore up cybersecurity of critical infrastructure after ransomware attacks on Colonial Pipeline, which provides 45 percent of the East Coast’s fuel, and on JBS USA, the nation’s largest beef producer.

The administration announced in April a 100-day plan to strengthen the cybersecurity of the electricity sector. Neuberger said Tuesday that the effort had been “really successful,” and that electric utility companies representing more than 56 million customers have deployed cybersecurity monitoring technology.

Future programs are also planned to address security concerns in the pipeline and water utility sectors.

“Clearly, while this program was designed and the effort was thought through before Colonial, the Colonial ransomware hack emphasized the importance of that linkage between the IT side that is often connected to the internet, and the operational side, which drives operational functionality of a pipeline, of a utility, of a meat processing plant,” Neuberger said. 

“Hence, the need for really cybersecurity sensors monitoring that and trying to detect and block malicious cyber activity,” she stressed.