Late last year, researchers at the Los Angeles-based cybersecurity company Resecurity stumbled across a massive trove of stolen data while investigating the hack of an Italian retailer.
Squirreled away on a cloud storage platform were five gigabytes of data that had been stolen during the previous three and half years from foreign ministries and energy companies by hacking their on-premises Microsoft Exchange servers. In all, Resecurity researchers found documents and emails from six foreign ministries and eight energy companies in the Middle East, Asia and Eastern Europe.
The attacks, which haven’t been previously reported, served as a prequel to a remarkably similar, widely publicized hack of Microsoft Exchange servers from January to March of this year, according to Resecurity. A person familiar with the investigation into the 2021 attack, who wasn’t authorized to speak publicly and requested anonymity, made a similar allegation, saying the data theft discovered by Resecurity followed the same methods. The 2021 hack was extraordinary for its scope, infecting as many as 60,000 global victims with malware.
Microsoft quickly pinned the 2021 cyberattack on a group of Chinese state-sponsored hackers it named Hafnium, and the U.S., U.K., and their allies made a similar claim last month, attributing it to hackers affiliated with the Chinese government.
Resecurity can’t say for sure the attacks were perpetrated by the same group. Even so, the cache of documents contained information that would have been of interest to the Chinese government, according to Gene Yoo, Resecurity’s chief executive officer. The person familiar said the victims selected by the hackers and type of intelligence gathered by attackers also pointed to a Chinese operation.
Researchers at other cybersecurity firms, who requested anonymity because they hadn’t reviewed all of Resecurity’s findings, cautioned that the attacks could have been perpetrated by any number of nations interested in Middle East diplomacy and the internal communications of influential energy companies.
Regardless, both hacking campaigns underscore how flaws in Microsoft’s popular on-premises email servers—which are controlled by the customers using those systems—have for years acted as a skeleton key for hackers to unlock sensitive data from government and private companies.
The Chinese government rejected allegations that its state-sponsored hackers were involved in any of these attacks.
“China resolutely opposes any form of online attack or infiltration. This is our clear and consistent stance,” the Ministry of Foreign Affairs said, in a messaged statement. “Relevant Chinese laws on data collection and handling clearly safeguards data security and strongly oppose cyberattacks and other criminal activity.”
In addition, the Ministry said it was a “complex technology problem” to determine the source of attacks, adding that it hoped the media would avoid “groundless speculation” and rely on “comprehensive evidence when determining the nature of cyberspace events.” China has already proposed a global data security standard and urges “all parties to work with us to genuinely safeguard global data security,” according to the Ministry’s statement.
Microsoft Corp. spokesperson Jeff Jones said in a statement that, “many nation-state actors” target email systems to gain confidential information, and that Microsoft’s security teams are “constantly working with our security partners” to identify new vulnerabilities that could be used in future attacks.
Microsoft has been tracking Hafnium, the group it accused of the 2021 attack, since as early as April 2020, including collecting data about its cyber-espionage operations, Jones said. Microsoft’s threat intelligence unit has since tracked multiple campaigns by Hafnium, and have notified countries that were victims of the attacks, according to Jones, who didn’t identify the countries. Hafnium’s goal is espionage with a focus on data theft, he said.
In a series of breaches stretching from 2017 to 2020, hackers stole documents and emails from foreign ministries in Bahrain, Iraq, Turkey, Oman, Egypt and Jordan—and email and data from eight energy companies, including Malaysian oil and gas giant Petronas Nasional Bhd and India’s Hindustan Petroleum Corp., according to Resecurity and a review of the stolen data by Bloomberg News.
Some of the emails and documents appear to contain sensitive information: diplomatic cables, critical network data including usernames and passwords and private consumer data.
For instance, one memo from an attaché from Bahrain described a Dec. 9, 2018, meeting in which the country’s leading Asia diplomats met with Chinese counterparts, at a time when China was facing a possible special session of the United Nations Human Rights Council to scrutinize its treatment of Muslim Uyghurs. In the meeting, China’s Lin Jiming recalled that two years earlier, his country defended Bahrain’s own human rights record during a formal U.N. review, according to the memo, which was forwarded to Bahrain’s foreign minister and human rights affairs directorate, along with a recommendation to support China’s position.
Bahrain was among 37 countries that signed a letter in mid-2019 supporting China’s policies in the western region of Xinjiang. The special session never occurred.
There are also documents detailing day-to-day business, such as internal memos about personnel changes, news summaries, an autograph request for a foreign minister and invitations to diplomatic conferences, according to Resecurity and the documents reviewed by Bloomberg.
Officials in Bahrain didn’t respond to a message seeking comment. Officials in Iraq confirmed the government has been the target of cyberattacks but said they weren’t damaging. Representatives from Turkey, Oman, Egypt and Jordan didn’t respond to requests for comment. HPCL didn’t respond.
The attackers also compromised a series of mostly state-run energy companies, utilities and research facilities covering regions stretching from Eastern Europe to Southeast Asia, according to Resecurity. Along with sensitive administrative data and intellectual property, Resecurity’s researchers also found lists of users, their internal network permissions and password details, all of which could be used by hackers to expand their footprint inside victim networks, according to Resecurity researchers and the documents.
Inside the servers of Petronas, the hackers found lists of usernames and passwords, according to Resecurity and the documents Within Hindustan Petroleum, they found thousands of user records and employee emails, according to the researchers and documents.
Other victims included Doosan Fuel Cell Co. in Korea; Romania’s Institute for Nuclear Research in Pitesti; the State Oil Company of Azerbaijan Republic, known as SOCAR; the UAE’s Sharjah National Lube Oil Corp. and Jordan’s Electric Distribution Company and National Electric Power Company, according to Resecurity.
In response to a Bloomberg query, Doosan said its Exchange server was attacked but that hackers were prevented from stealing any data. Petronas didn’t answer specific questions about the alleged attack but provided a statement about their “robust and comprehensive cybersecurity strategy.”
The other companies and Romania’s nuclear research unit didn’t respond to requests for comment.
The 2021 attack occurred after hackers discovered a series of previously unknown vulnerabilities—called zero days—in the Microsoft Exchange email system, and then used those to exploit tens of thousands of victims globally. While the attack’s sprawl was unprecedented, relatively few of the Exchange customers who were infected with malware were then targeted for more invasive attacks such as data theft or ransomware, Microsoft said in a blog.
It’s unclear how the hackers behind the earlier attacks on foreign ministries and energy companies initially infiltrated the networks.
But after the original compromise, both attacks were almost identical. Hackers installed web shells on victim networks that allowed them to remotely access the internal login page for each server. The attackers then used an open-source software called Mimikatz (and a modified version of Mimikatz) to steal passwords and establish a connection inside the network.
Such methods aren’t particularly unique. Instead, such generic attack methods allow hackers to hide their tracks and have become a signature for government hacking groups, including some affiliated with the Chinese government, said Ben Read, director of cyber-espionage analysis at the cybersecurity firm Mandiant.
—With assistance from Jamie Tarabay.
Subscribe to Fortune Daily to get essential business stories straight to your inbox each morning.