[1] By the end of January, Volexity had observed a breach allowing attackers to spy on two of their customers, and alerted Microsoft to the vulnerability.
Analysts at two security firms reported they had begun to see evidence that attackers were preparing to run cryptomining software on the servers.
[26] The attacks came shortly after the 2020 United States federal government data breach, which also saw the compromising of Microsoft's Outlook web app and supply chain.
[27] Microsoft said that the attack was initially perpetrated by the Hafnium, a Chinese state-sponsored hacking group (advanced persistent threat) that operates out of China.
[26] Microsoft identified Hafnium as "a highly skilled and sophisticated actor" that historically has mostly targeted "entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs.
"[22][30] In a July 19, 2021 joint statement, the US, UK, EU, NATO, and other Western nations accused the Ministry of State Security (MSS) of perpetrating the Exchange breach, along with other cyberattacks, "attributing with a high degree of confidence that malicious cyber actors affiliated with PRC’s MSS conducted cyber espionage operations utilizing the zero-day vulnerabilities in Microsoft Exchange Server disclosed in early March 2021.
[35][36] The final two exploits allow attackers to upload code to the server in any location they wish,[36] that automatically runs with these administrator privileges.
Among the actions observed are the downloading of all emails from servers, downloading the passwords and email addresses of users as Microsoft Exchange stores these unencrypted in memory, adding users, adding further backdoors to affected systems, accessing other systems in the network that are unsusceptible to the original exploit, and installing ransomware.
[11][44] Tom Burt, Microsoft's vice president for Customer Security & Trust, wrote that targets had included disease researchers, law offices, universities, defense contractors, non-governmental organizations, and think tanks.
[28][9][45] Automatic updates are typically disabled by server administrators to avoid disruption from downtime and problems in software,[46] and are by convention installed manually by server administrators after these updates are tested with the existing software and server-setup;[47] as smaller organizations often operate under a smaller budget to do this in-house or otherwise outsource this to local IT providers without expertise in cybersecurity, this is often not done until it becomes a necessity, if ever.
[52] Security company ESET identified "at least 10" advanced persistent threat groups compromising IT, cybersecurity, energy, software development, public utility, real estate, telecommunications and engineering businesses, as well as Middle Eastern and South American governmental agencies.
"[54] On 18 March 2021, an affiliate of ransomware cybergang REvil claimed they had stolen unencrypted data from Taiwanese hardware and electronics corporation Acer, including an undisclosed number of devices being encrypted, with cybersecurity firm Advanced Intel linking this data breach and ransomware attack to the Microsoft Exchange exploits.
[56] On 3 March 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive forcing government networks to update to a patched version of Exchange.
On 8 March, CISA tweeted what NBC News described as an "unusually candid message" urging "ALL organizations across ALL sectors" to address the vulnerabilities.