The hack of Microsoft’s Exchange server software, which centrally manages email and calendars for businesses, threatens to be a bonanza for cybercriminals and may alter the course of US–China relations under the Biden administration.

State-based cyber espionage typically—barring money-focused North Korean hacking—follows a standard playbook with its own internal logic: governments have intelligence requirements, their agents break in and steal information, sooner or later (and sometimes much later) the agents get caught and systems are cleaned of malware, and the cycle repeats. The score changes with intelligence wins, but the game stays the same.

The ongoing Chinese exploitation of Microsoft Exchange servers is different. Has the game changed?

In late 2020, Orange Tsai, a Taiwanese security researcher, discovered a series of four separate bugs that could be strung together to seize control of a Microsoft Exchange server.

This kind of vulnerability is about as bad as it gets. Not only is email an intelligence agency’s highest priority, but Exchange servers are particularly valuable real estate from which to move further into a network. The Microsoft-hosted cloud version of Exchange is not vulnerable, so, ironically, the customers that chose to run their own Exchange servers because of concerns over the security of cloud services find themselves uniquely exposed.

Orange reported these findings to Microsoft so they could be fixed, but before he’d even submitted his report to the company’s security response centre, this series of bugs was being exploited ‘in the wild’—that is, they were already being used for cyber espionage.

Microsoft reported that a Chinese state-sponsored group the company calls Hafnium was using these techniques to take control of Exchange servers, to steal email, files and credentials, and to set up persistent access (commonly known as backdoors) to the compromised network for future exploitation.

Independent discovery of bugs is surprisingly common. The high-profile Spectre and Meltdown processor bugs were more or less simultaneously discovered by three independent groups, and research has found that, in a particular set of vulnerabilities, about 6% were independently discovered within a year.

It’s still possible that cyber espionage activity in early January was the result of independent discovery, but by late February Orange’s bug discoveries were being used by other cyber actors; at least one of these groups was using exploits with significant similarity to Orange’s prototype code, including his use of ‘orange’ as a password.

How did Orange’s discovery make it into the hands of a Chinese espionage group? Taiwan is a perennial target of Chinese espionage (of all kinds, not just cyber espionage), and security researchers make tempting targets because of the possibility of their using any techniques they discover. But Microsoft itself is also a potential source of the leak and is reportedly investigating avenues of vulnerability, particularly its Microsoft Active Protections Program, which gives a trusted cohort of companies advance access to security information so that they can prepare defences.

In any case, within days of Orange’s discovery Exchange servers were being exploited by Chinese espionage groups. In what would normally have been a cybersecurity success story, this quiet exploitation was almost immediately detected independently by two separate security companies, both of which also informed Microsoft.

In the normal course of state-sponsored espionage, this kind of measured and covert exploitation of vulnerabilities for intelligence-gathering would have continued until Microsoft issued a fix, and the opportunity for intelligence gains would have disappeared as organisations updated their systems.

But in a deviation from the ‘normal’ playbook, as Microsoft was preparing to issue its patch, exploitation of the vulnerability accelerated, with multiple groups automatically and indiscriminately using it on any susceptible server.

There are claims that up to 10 different cyber espionage groups are involved, many of them with links to China, but cybercriminals are also taking part.

Not only was this hacking indiscriminate, affecting 30,000 servers in the United States and potentially hundreds of thousands globally, but the hackers also left these servers open to further abuse by other malicious groups by installing open webshells, backdoors that allow a compromised server to be controlled simply by using a web browser.

Cybercriminals are already taking advantage of these pre-compromised servers to launch ransomware attacks. Ransomware groups have refined their tactics over the last year and payments in the millions of dollars are not uncommon. Given the sheer number of companies affected, it’s possible that the total lost to ransoms may well be in the hundreds of millions to billions of dollars, in addition to the network remediation cost.

At this stage, there has been no official US statement on who is ultimately responsible for the mass hacking of Exchange servers. Determining a chain of events and assigning responsibility will be key to any official response. There’s a spectrum of possibilities ranging from the deliberate to the coincidental: perhaps China deliberately exploited this bug at scale; perhaps loosely controlled contractor groups went rogue; perhaps the technique was deliberately shared with criminal groups; perhaps it was available for sale within criminal markets; or perhaps it was leaked during Microsoft’s remediation process.

At the most incendiary end of the spectrum of possibilities, a deliberate decision by China to mass-exploit servers would drastically affect Washington’s approach to dealing with Beijing. In the short term, the US would assemble a broad coalition of affected countries (likely all countries are affected) to launch a robust diplomatic and economic response, but perhaps more importantly attitudes would harden within the administration and it would embed hard-edged combativeness into all US–China decision-making. There is also the worrying possibility that if a deliberate Chinese operation is proven, this episode will change the game so that states become willing to carry out cyber operations without conducting the due diligence to avoid collateral damage and destructive side-effects.

If responsibility is sheeted home to rogue contractors, the administration would take a ‘get your house in order’ response and diplomatic pressure would be applied to bring China-based cyber proxies under control. Building a broad coalition of countries is also key here, but such a move should include more public indictments to reveal the linkages between the Chinese state and cyber espionage groups. Although deterrence by embarrassment doesn’t seem to have worked in the past, the global and (likely) destructive consequences of the hack raise the stakes considerably.

If it’s found that ultimate responsibility lies with criminal groups (that is, the Chinese state exploited the bug, but criminal groups independently discovered or bought it and engaged in mass exploitation), the response would be two-pronged. One arm of action would focus on operations that deter and hamper cybercriminal groups, including law enforcement action and offensive cyber operations. A second arm would focus on the ongoing efforts to improve the level of cybersecurity resilience across the whole economy through strong regulation.

Within a month of the discovery of the recent SolarWinds hack, the US issued an official statement that the perpetrators were ‘likely Russian’. The fallout from the Exchange hack will continue over many months, but official statements that hint at or assign responsibility will be key indicators as to how the US government, and the world, will respond.