The company said that it believes the attacks were carried out by Hafnium, “a group assessed to be state-sponsored and operating out of China.” It did not offer evidence supporting the assessment, but said the “state-sponsored” actor was identified by the Microsoft Threat Intelligence Center based on observed “tactics and procedures.”
“We are sharing this information with our customers and the security community to emphasize the critical nature of these vulnerabilities and the importance of patching all affected systems immediately,” it said.
“This blog also continues our mission to shine a light on malicious actors and elevate awareness of the sophisticated tactics and techniques used to target our customers.”
Hafnium is a network of hackers that “primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and [non-government organizations],” according to Microsoft.
Though the group is believed to be based in China, it usually strikes using virtual private servers based in the United States, the company said.
Asked about the Microsoft blog post, a spokesperson for China’s Ministry of Foreign Affairs said that the country “firmly opposes and fights all forms of cyber-attacks and thefts in accordance with the law.”
“Connecting cyberattacks directly to the government is a highly sensitive political issue,” Wang Wenbin told reporters at a regular press briefing. “China hopes that relevant media and companies will adopt a professional and responsible attitude. When characterizing cyber incidents, it should be based on sufficient evidence, rather than unprovoked guesses.”
This isn’t Microsoft’s first tangle with Hafnium. The tech giant has previously — on separate, unrelated occasions — observed the group “interacting with victim” users of Office 365, it said.
But “this is the first time we’re discussing its activity,” wrote Burt.
“While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets’ environments,” the company said.
— CNN’s Beijing bureau contributed to this report.