Chinese State Hackers Breached Thousands via Microsoft Exchange

Between January and March 2021, a state-sponsored Chinese threat actor designated HAFNIUM conducted one of the year's most significant cyberattacks, targeting Microsoft Exchange servers used by organizations across the United States and beyond. The attackers remained undetected for approximately two months before Microsoft disclosed the breach on March 2, 2021.

The attack exploited four previously unknown zero-day vulnerabilities in Microsoft Exchange Server versions 2013, 2016, and 2019 running on-premises. Cloud-based Exchange Online services were not affected. The vulnerabilities—tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065—allowed attackers to bypass authentication, execute remote code, and establish persistent access within compromised networks.

HAFNIUM's technical sophistication was evident in their exploitation chain. The initial vulnerability, ProxyLogon, enabled unauthorized authentication bypass. Once inside Exchange servers, the attackers deployed web shells—hidden backdoors allowing continued remote access—and extracted sensitive data from the Offline Address Book, a cached directory of user accounts and email addresses. This allowed attackers to steal email credentials and install additional malware for long-term persistence.

Microsoft's Threat Intelligence Center attributed HAFNIUM to China with high confidence. The targeted sectors—infectious disease research organizations, U.S. defense contractors, and policy think tanks—suggested espionage objectives aligned with Chinese strategic interests. While Microsoft did not release exact victim counts, the organization confirmed "thousands" of companies had been compromised.