ArchiveOODA Original

Executive Level Action In Response to Ongoing Massive Attacks Leveraging Microsoft Vulnerabilities

This post provides executive level context and some recommendations regarding a large attack exploiting Microsoft Exchange, a system many enterprises use for mail, contact management, calendar/scheduling and some basic identity management functions. This attack is so large and damaging it is almost pushing the recent Solar Winds attacks off the headlines. Keep in mind that till this point, the Solar Winds attacks was being called the biggest hack in history by many. So this is a signal that the damage from this one will also be huge.

This attack is being called the Hafnium attack, it is named after the PRC Chinese Communist Party (CCP) affiliated hacking group that is believed to be behind this.

Every C-Suite executive should understand a few things about this one. It is so big that anyone who uses Exchange should consider themselves compromised. Initial reports are over 30,000 organizations, but we are hearing from our sources that the number is actually far larger. Any business, non-profit, local, state or federal organization that runs Microsoft Exchange should consider themselves compromised at this point.

Technical teams have a wealth of information that can be found on this topic from sources like the Department of Homeland Security’s Critical Infrastructure and Cybersecurity Agency (CISA). We hope this topic is not a surprise to any on the technical staff.

But there are also executive level actions that need to be considered. Every enterprise is different and recommendations for your action in response to the Hafnium attack should absolutely be tailored for your specific situation. But here is a short list to kickstart executive level action plans:

  • Since the US Government’s cyber experts at CISA issued an emergency directive requiring all agencies disconnect their MS Exchange severs, you should take that as a signal that this is incredibly important, even for non technical leaders to track. Ask your technical team if your firm uses Microsoft Exchange and what your exposure is, and if you use it, do what you can to encourage your Exchange to be unplugged. You will survive. If you were dependent on it, congrats, you now have motivation to find another solution. 
  • If your company has critically important business applications that depend on MS Exchange and if you cannot immediately move off this system for email, patch before plugging your Exchange servers back into your network. Your normal process for patching important systems like Exchange should certainly involve testing, patches can break some dependencies. But in this case your firm should probably err on the side of patching first and testing later. Your technical team many need executive level support to make this decision.  This is huge and ugly and you have to assume that your company is bleeding info every second that you don’t patch so back them up on this.
  • Any firm big enough to have an incident response team should know what to focus on now. Look for evidence of a breach that expanded out from this massive compromise. Depending on your threat model, the threat may be of coming business email compromise or business process attacks that will seek to steal millions of dollars because of insider knowledge, so help raise awareness of that type of attack among all of your leadership team.
  • Organizations not large enough to have an incident response team should quickly look to find an external service provider with security talent (an MSSP) who can help in cleanup.
  • Ask other line of business leaders to review their views of their most important data. Do what you can to focus defenses on this most important data.  
  • All firms big and small, and all government organizations, should accelerate their move to secure cloud infrastructures. At this time when I say secure I mean Amazon AWS and Google Cloud. Both of those need to be smartly configured. But when they are they are provably better at reducing risk and protecting key data. Fortunately this improved security comes with improved functionality and very likely is more economical than anything you are doing yourself. 
  • As you engage with high end red teams to test your ability to defend, ask them to pay particular attention to your Microsoft related systems and report back on a view of what adversaries can see here.
  • This type of high end attack proves the need for advanced strategies to mitigate the work of high end adversaries, including deception (see our Executives’ Guide to Deception Strategies here).

For more executive level insights on reducing risk in the modern age see the OODA Loop Cyber Sensemaking Page



Bob Gourley

Bob Gourley

Bob Gourley is the co-founder and Chief Technology Officer (CTO) of OODA LLC, the technology research and advisory firm with a focus on artificial intelligence and cybersecurity which publishes Bob is the co-host of the popular podcast The OODAcast. Bob has been an advisor to dozens of successful high tech startups and has conducted enterprise cybersecurity assessments for businesses in multiple sectors of the economy. He was a career Naval Intelligence Officer and is the former CTO of the Defense Intelligence Agency. Find Bob on Defcon.Social