Massive Hacks Linked to Russia, China Exploited U.S. Internet Security Gap

The attack that Microsoft disclosed last week affected at least tens of thousands of customers and has been linked by the software giant and other security researchers to China-based hackers. The Chinese Embassy in Washington on Tuesday didn’t directly address the charge that China was behind the Microsoft hack and referred to earlier comments from Beijing in which the government said it “opposes and combats cyberattacks and cyber thefts in all forms.”

It is the second major suspected nation-state hack unearthed in the past few months to have employed U.S. servers as a launchpad. Suspected Russian hackers used U.S.-based cloud services to support key stages of their attack that leveraged a hack at SolarWinds Corp. , the Austin, Texas, network software provider through which they penetrated U.S. government and corporate networks. In both cases, the hacks were disclosed by private-sector researchers, not the U.S. government.

The NSA, with its tens of thousands of employees, is one of the main U.S. government organizations responsible for protecting the U.S. in cyberspace. It has vast surveillance powers, though is generally prohibited from using them to collect intelligence on domestic targets, including computer servers inside the U.S. maintained by American companies.

“The combination of these two attacks definitely has pushed us to a tipping point in terms of the policy makers and the executive branch recognizing now that we need to do something,” said Glenn Gerstell, former general counsel at the NSA.

The SolarWinds hackers used cloud-computing systems run by Microsoft and Amazon.com Inc. to launch their attacks. At a Senate hearing last week, Microsoft President Brad Smith said the method was of obvious appeal to the Russians because it enabled them to circumvent U.S. intelligence collection. Amazon declined to appear at the hearing, prompting bipartisan ire from lawmakers, and hasn’t commented publicly on the use of its data centers in the SolarWinds attack.

“This is a sophisticated actor that apparently took the time to research legal authority. It knew that by operating from servers in the United States, it could evade some of the U.S. government’s best threat hunters,” Microsoft Corporate Vice President for customer security Tom Burt said of the Exchange hack.

Based on the internet addresses used, the hack emanated from lesser-known service providers such as DigitalOcean Inc., as well as servers in Hong Kong, the Netherlands, China and other jurisdictions, said Joe Slowik, a researcher with DomainTools. About half the servers identified as connected to the Exchange hack were in the U.S., according to the DomainTools analysis. DigitalOcean didn’t respond to messages seeking comment.

Security experts said Microsoft is caught in the middle of both attacks in part because its products are ubiquitous. It is also a major software provider to the U.S. government and large corporate clients, making Microsoft software flaws appealing targets to hackers trying to spy on U.S. networks, they said.

The Microsoft Exchange attacks were carried out by at least four hacking groups, all of which have been linked to China, said Alexis Dorais-Joncas, a researcher with ESET, a security company that has been tracking the attack.

The attackers may have had other motivations, beyond skirting NSA detection, to use U.S.-based servers, Messrs. Slowik and Dorais-Joncas said. They may have been trying to improve the performance of their software or to avoid security tools that, for example, would block connections originating from China, they said.

Earlier this week, an anonymous hacker posted “proof of concept” code to the internet that could be used by other hacking groups to conduct further attacks on unpatched Microsoft Exchange servers. An internet scan conducted by search-engine company Shodan LLC this week has found more than 70,000 Exchange servers vulnerable to attack. Most of the entities hit by the widespread China-linked attack were law firms, higher-education facilities, or entities conducting research on infectious diseases, said James Alliband, a cybersecurity strategist with business-software provider VMware Inc.

Even before the Exchange hack emerged, U.S. lawmakers from both parties were looking for ways to bolster U.S. cyber defenses, including reviving an oft-stalled effort to create a national data-breach notification law.

At a Congressional hearing last month on the SolarWinds hack, several senators asked tech company executives whether gaps in the ability to monitor domestic infrastructure created opportunities for malicious actors to evade potential detection by U.S. intelligence agencies.

Any attempt to write new laws granting the NSA or other intelligence services domestic surveillance authority would likely face sharp resistance from privacy advocates, who have long worried that new powers would lead to abuses. The NSA has been reluctant to be seen as expanding its espionage capabilities ever since the 2013 disclosures by Edward Snowden that revealed classified details about its domestic and international surveillance programs established following the Sept. 11, 2001, terrorist attacks, former officials have said.

“The government already has the authority to watch every bit of data going in and out of federal networks,” said Sen. Ron Wyden (D., Ore.). “Some in the government now want to ask for new, warrantless surveillance of Americans’ communications to distract Congress from asking unpleasant questions.”

Mr. Wyden added that America’s “$6 billion cyber shield failed to stop or detect the hacks.” The senator was referencing Einstein, a cyber-threat detection system used by the government to try to thwart hacking attempts by finding known malware. Einstein lacks the capacity to identify malware not previously seen in attacks.

That view has detractors, though. “It can’t possibly be the case that the Fourth Amendment ties our hands in such a way that we just have to sit there and watch the Chinese romp through our infrastructure,” said Mr. Gerstell, the former NSA top lawyer, referring to the U.S. Constitution’s protection of privacy against unreasonable searches.

Mr. Gerstell said it was unlikely that Congress would ever grant such authorities directly to the NSA and that an alternate proposal involving a different agency could be more palatable.

The NSA declined to comment and referred questions to the White House National Security Council, which didn’t respond to requests for comment.

The Senate Intelligence Committee is slated to receive separate briefings this week on the Microsoft Exchange hack from the Biden administration and Microsoft, a committee aide said.

“I think we’re going to be struggling for a long time to understand the scope and the scale of what has happened here,” said Katie Moussouris, the chief executive of Luta Security Inc.

Write to Dustin Volz at [email protected] and Robert McMillan at [email protected]