Microsoft hacking and China: Biden administration expected to form task force

There are an estimated 30,000 affected customers in the US and 250,000 globally, though those numbers are expected to increase, a US official told CNN.

"We are undertaking a whole of government response to assess and address the impact. The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to agencies and we're now working with our partners and looking closely at the next steps we need to take. This is an active threat still developing and we urge network operators to take it very seriously," a White House official told CNN.

The task force or, "Unified Coordination Group" (UCG), is a multi-agency effort initiated by the National Security Council, that includes FBI, Cybersecurity and Infrastructure Security Agency (CISA) and others, the US official told the news channel.

IT giant Microsoft recently claimed a group of hackers linked to China hacked into its popular email service that allowed them to gain access to computers.

"Today, we’re sharing information about a state-sponsored threat actor identified by the Microsoft Threat Intelligence Center (MSTIC) that we are calling Hafnium. Hafnium operates from China, and this is the first time we’re discussing its activity. It is a highly skilled and sophisticated actor," Microsoft said in a blog post.

Historically, Hafnium primarily targets entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs, the IT company claimed.

"While Hafnium is based in China, it conducts its operations primarily from leased virtual private servers (VPS) in the United States," the company said.

"Recently, Hafnium has engaged in a number of attacks using previously unknown exploits targeting on-premises Exchange Server software. To date, Hafnium is the primary actor we’ve seen use these exploits, which are discussed in detail by MSTIC here," it said.

"The attacks included three steps. First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what’s called a web shell to control the compromised server remotely. Third, it would use that remote access – run from the U.S.-based private servers – to steal data from an organization’s network," Microsoft said.