Hafnium hack poses new long-term threat for already overtaxed cyber workers

malware detection (Alexander Yakimov/ 

Federal agencies still reeling from the effects of a massive hack involving SolarWinds may face a new challenge of evicting any adversaries that breached their networks through recently discovered vulnerabilities in Microsoft's Exchange software.

"Patching and mitigation is not remediation if the servers have already been compromised," the National Security Council said in a tweet on Friday. "It is essential that any organization with a vulnerable server take immediate measures to determine if they were already targeted."

President Joe Biden's National Security Advisor Jake Sullivan also took to Twitter to urge U.S. think tanks and defense industrial base contractors "to patch ASAP."

The rare, public warning from the White House urging public and private entities to update their systems followed the Cybersecurity and Infrastructure Security Agency issuing an emergency directive last week, citing an "unacceptable risk" posed by zero-day exploits discovered in Exchange. Microsoft in a recent blog post said it has observed a China-based group, dubbed "Hafnium," using those vulnerabilities to target U.S. organizations.

CISA's directive instructed all civilian federal agencies to immediately disconnect or update Exchange products running on-premise. It also ordered agency CIOs to conduct digital forensics to find indicators of compromise and report back to CISA by noon on March 5.

A spokesman told FCW today that CISA has received reports from a "majority" of civilian agencies. "Currently, agencies continue to patch affected servers and investigate for indications of compromise," he continued.

A spokesman for the Pentagon told FCW, the Defense Department "is aware of the Microsoft Threat Intelligence Center's report and is currently assessing our networks for any evidence of impact. We are taking all necessary steps to identify and remedy any possible issues related to this situation."

Independent security researcher and journalist Brian Krebs reported in his blog on Friday that up to 30,000 organizations may have been affected by the vulnerabilities.

Chris Krebs, the former CISA director, predicted on Twitter that the hack will "disproportionately impact those that can least afford it," and noted that the vulnerability is "trivial to exploit," meaning that anyone aware of the flaw with a bare minimum of technical ability can implant malware on unpatched systems.

About the Author

Justin Katz covers cybersecurity for FCW. Previously he covered the Navy and Marine Corps for Inside Defense, focusing on weapons, vehicle acquisition and congressional oversight of the Pentagon. Prior to reporting for Inside Defense, Katz covered community news in the Baltimore and Washington D.C. areas. Connect with him on Twitter at @JustinSKatz.


  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

  • IT Modernization
    Blue Signage and logo of the U.S. Department of Veterans Affairs

    VA plans 'strategic review' of $16B software program

    New Veterans Affairs chief Denis McDonough announced a "strategic review" of the agency's Electronic Health Record Modernization program of up to 12 weeks.

Stay Connected