Why You Should Worry About China’s Cybersecurity Hack on Microsoft Exchange

by | Nov 1, 2021 | Business, Cybersecurity

With National Cybersecurity Month now in our rearview mirrors until next October, it can’t be stressed enough that your attention to the security needs of your business should be a priority all year long.

Threats to your IT infrastructure never go away. Headlines about cybersecurity attacks are now the norm, and like with anything, all this “noise” can cause critical hacks to be overlooked.

There’s one cyber attack in particular that stands out and should concern all of us. It’s the reported hack of Microsoft Exchange Servers by China that was in the headlines almost daily since first being discovered late this past spring. Why does this matter to you?
Let’s review the important things you need to know about this China Microsoft Hack.

China has Become the Leader in Government-backed Cyberattacks

Over the last decade, the People’s Republic of China (PRC) has sponsored attacks on Google, the New York Times, Equifax, and the Vatican. In some instances, the attacks had identifiable objectives.

For example, Chinese-backed hackers compromised The New York Times after it published an article on the Chinese prime minister. The Vatican systems were breached prior to a meeting between the Vatican and China regarding the Catholic Church’s presence in China. However, not all attacks had such clear objectives.

China stole millions of records containing credit card numbers and addresses in its 2017 Equifax attack. The 2015 breach of the US Office of Personnel Management netted 20 million personnel files of civilian employees. Yet, the Chinese did not appear to use the data despite collecting information on people, companies, and government agencies.

Until recently, analysts were unsure why the PRC was stealing such a broad range of information. When China announced in 2017 its goal of becoming the leader in artificial intelligence (AI) by 2030, the country’s data collection efforts made sense. AI requires data — lots of data — to validate its algorithms. To achieve its 2030 goal, China needs to “leapfrog” its technical expertise by stealing intellectual property and research.

Although the international community has been hesitant to attribute cyberattacks to Chinese-sponsored hackers, the US Government attributed the Microsoft Exchange Server hack to the PRC in July 2021. This announcement was the first time the United States officially accused the Chinese of initiating cyberattacks.

What Was the China Microsoft Hack?

Hackers targeted vulnerabilities in Microsoft’s Exchange Server. The software was initially released in 1996 to facilitate the exchange of emails, calendars, contacts, and messaging among Microsoft applications. The product operated on a Windows server running at a customer’s site. Today, Exchange Server operates in the cloud as well as “on-premise.”

What Happened?

The hackers identified a weakness in Exchange server software running on-premise with an internet connection. When cybercriminals detected a vulnerable server, they delivered code that made requests for information such as emails and documents appear to come from a trusted source. As a result, servers returned the data without authenticating the request.

Microsoft credited the cybersecurity company Volexity for identifying the vulnerabilities in January 2021. As part of their routine monitoring of client sites, the company noticed a volume of emails being sent to a suspicious source. They notified Microsoft’s Threat Intelligence Center (MSTIC), which began monitoring the situation.

For most of January and February, MSTIC was able to contain the threat through its routine security operations while Microsoft worked on a security patch. In March, the attacks escalated, with multiple groups exploiting the vulnerabilities. Suddenly incidents were up to hundreds each day and then thousands. It was clear something more was going on.

Escalating Attacks: In March, the attacks escalated, with multiple groups exploiting the vulnerabilities. Suddenly incidents were up to hundreds each day and then thousands. It was clear something more was going on. On March 2, Microsoft indicated that weaknesses in its Exchange Server enabled hackers to exploit the vulnerabilities and compromise a network. They released patches for 2010, 2013, 2016, and 2019 versions of Exchange. However, Microsoft has no knowledge of on-premise installations of the software and was unable to ensure that the patches were applied.

What Happened Behind the Scenes?

Understanding why it took three months to deliver a security patch means knowing how Microsoft approaches security patches and updates. All Microsoft updates occur on the second Tuesday of each month to minimize the impact on IT departments. Having a set date for updates means IT departments can schedule installation and testing to minimize operational disruptions.

In the beginning, MSTIC was able to mitigate the risk to give developers the chance to isolate and patch the vulnerabilities. However, the late February escalation made it necessary to issue the fixes on the first Tuesday of the month. This process change was an indication of how significant the attack had become. Another indicator was the inclusion of a patch for Exchange Server 2010 even though support for the product ceased in October 2020.

Why Did the White House Get Involved?

Microsoft has no knowledge or control of software installed outside the cloud. Installation of the security updates depended on the IT administrators at the targeted companies. Although many organizations migrated to cloud-based Exchange, many small and medium-sized organizations still use on-premise Exchange Server. Early estimates suggest that as many as 30,000 US organizations were affected in the China Microsoft Hack. Early estimates suggest that as many as 30,000 US organizations were affected in the China Microsoft Hack. Hackers targeted companies, local governments and institutions, and smaller nonprofits because they were more likely to be using legacy software that was no longer being updated. Because these targeted organizations were in the habit of ignoring updates and patches on older software, the White House made an appeal for IT administrators using Exchange Server locally to apply the security patch. They stressed the national security compromise that might occur as a result of the attacks.

Was the Hack a National Security Threat?

Impacted organizations included engineering firms, universities, and retailers — even the European financial services were hit with this cybersecurity hack. However, these initial targets are only a stepping stone. Once inside a network, hackers can leverage their access to infiltrate much larger organizations. Much like the SolarWinds attack, the objective is the dissemination of malicious code to as many entities as possible.

The scope of the 2021 China Microsoft Hack, created what is considered a national security threat. No one knew precisely what organizations had the compromised software installed and operational. As a result, there was no way to predict what information was at risk. Beyond the immediate concerns, the White House is looking at the long-term ramifications of the ongoing cyberwar with China.

What are the Implications of the China Microsoft Hack?

When the government talks about a cyberwar with China, many consider it hyperbole. It’s difficult to imagine a virtual war with global consequences when the war zone is invisible to most of the world’s population. Yet, these cyber-battles have real-world consequences.


According to a recent report, China has stolen personal identifiable information on 80% of all Americans and is working to acquire the other 20%. From the Equifax hack alone, PRC gained information on an individual’s credit history. They know how much people have in the bank, how much debt they’ve incurred, and where their money is being invested. That information could be leveraged to exploit vulnerable individuals. According to a recent report, China has stolen personal identifiable information on 80% of all Americans and is working to acquire the other 20%. Combining the financial data with information from a Marriott or Anthem breach gives China a comprehensive understanding of an individual. Armed with the right information, an agent could start up a conversation in an airport or on a cruise to gain insights that individuals do not realize they’ve provided. What harm comes from a casual conversation with a nuclear research scientist attending a conference? Maybe nothing, but it’s possible that the information, when added to existing data, provides a missing piece.


China’s efforts to become an innovation leader in AI by 2030 require a depth of technical understanding that it does not have. It’s through stealing intellectual property and research that the PRC will achieve its goal. Precisely, what China will do with AI is unknown, but its applications are limitless.

They can apply AI to manufacturing, healthcare, or financial services. The technology can be used to improve the functioning of the government and its military machine. Its algorithms can be used to sift through the massive amounts of stolen data to detect patterns and make predictions on a global scale.

AI applications are only beginning as companies explore the possibilities of the technology-human interface. Today, chatbots answer questions, carry on conversations and make recommendations. Investment firms use AI to help predict market changes. Healthcare is exploring applications ranging from virtual diagnosis to triage.

With deep learning and natural language processing, businesses are deploying virtual personal assistants that can complete tasks on behalf of their human counterparts, freeing the human employee to work on higher-value efforts. Imagine what these applications could do if used for malicious purposes.


In cyberspace, AI can become a powerhouse for cyberattacks. With its real-time capabilities, AI can adapt viruses or malware on the fly to target a specific company or network. It can collect information from multiple endpoints and identify vulnerabilities that would take humans months, if not years, to detect.

With the same technology, China can use AI to protect its resources. With a constant stream of data, AI-powered tools can identify potential threats to the PRC’s infrastructure and counter them before damage is done. In fact, AI could ultimately replace human hackers, making cyberattacks even more cost-effective.

How to Strengthen Your Cybersecurity

Developing a strong security posture takes time and resources — something a small or medium-sized organization may not have. However, there are a few things companies can do to strengthen their cybersecurity now.

  • Update software – With the Exchange Server hack, Microsoft found that many companies had failed to update the base software. All the updates had to be installed and tested before the security patch could be applied, exposing the network to further compromise.
  • Maintain backups – Onsite backups are no longer sufficient to protect against ransomware. These viruses now encrypt or disable backup copies if they reside on the same network as the production system. To protect backups, companies need to maintain offsite or offline copies that cannot be accessed through the product environment.
  • Perform vulnerability assessments – Businesses cannot protect against what they do not know. Unless a company performs a vulnerability assessment, it’s impossible to determine potential risk.
  • Create a response plan – When a cyberattack is in progress, it’s too late to decide how to respond. Immediate action is required to contain the attack. Without a plan, people could be working against each other rather than together, allowing the malicious code to spread even faster.
  • Educate employees – People are the first and last defense against a system compromise. Yes, employees may be the primary cause of most data breaches, but they are also the ones who decide whether to click on a link that leads to a malicious website. Keeping them informed enables them to identify potential risks before they turn into a breach.
  • Restrict user access – Many companies grant individuals access to the network but do not restrict where they go or what they do. That policy allows hackers complete control over a system once they can access a user’s account. Companies should implement multi-factor authentication (MFA) and least-privilege access controls.
  • Monitor the network – Network monitoring should incorporate more cybersecurity tools such as intrusion detection and protection. It should expand to include penetration testing, especially in hybrid environments. With network endpoints moving outside the firewall, network monitoring needs to expand to include all endpoints.

How to Strengthen Your Cybersecurity - Update Software - Maintain Backups - Perform Vulnerability Assessments - Create a Response Plan - Educate Employees - Restrict User Access - Monitor the Network

Get a Free, No-Risk Cybersecurity Assessment

Now that you have more background to be better aware of how China’s a threat to your own IT infrastructure, let’s plan for your free, no-risk Cybersecurity assessment. We’ll discuss your concerns and provide an independent analysis to identify the gaps to address so you can be worry-free the next time you read headlines about a wide-spread security breach.

Recent Technology News You Can Use

Check out our updates on the latest data breaches (and other cybersecurity challenges), how-to guides, and other info on trendy tech stuff.

How Can We Connect with You?

We love to connect, so pick up the phone, reach out for personalized support, or stop by our office and meet us in person! 

Let’s Talk

You have questions. We love to answer.

Customer Support

Need help? Your help desk is ready.

Plan a Visit

32 Franklin Street, Suite 500
Worcester, MA 01608