Companies that receive mail from the Federal Office for Information Security (BSI) at the beginning of this week shouldn't ignore the letter for too long: because tens of thousands of German companies are affected by a vulnerability in Microsoft's mail server software "Exchange".

For 9,000 of them, the Federal Office estimates the threat from hackers who are already exploiting the vulnerability to be so high that they warn by traditional mail - e-mails could no longer arrive, could be intercepted by attackers and read.

“IT Threat Situation 4 / RED” is written above the warning letter from the office, in which the experts warn of the consequences of a loophole that Microsoft wanted to close with several updates last week.

But at this point it was already too late for many affected companies and authorities around the world.

"According to the server search engine Shodan, the vulnerability potentially affects around 57,000 servers in Germany," writes the BSI in its analysis.


On March 2, Microsoft published four updates for its Exchange server software from 2013 to 2019 - the signal for several hacker groups to immediately start looking for servers around the world whose administrators were negligent and did not close the gap as quickly as possible.

According to research by US security expert Brian Krebs, hackers in a previously unknown Chinese group that Microsoft dubbed “Hafnium” have been exploiting the vulnerability for a long time several hundred thousand machines are likely to be affected.

According to an analysis by specialists from the Boston security company Rapid7, Germany is hardest hit by the attacks alongside the USA.

The most prominent victim of the hack is the European banking regulator.

The Paris authority announced that the administrators had to take the internal mail server offline.

Leak has existed since January 6th


The attack is likely to have been automated - the security holes allowed the hackers to install their own control software, a so-called web shell, on the servers.

Affected servers can then simply be accessed and controlled via an internet browser.

The rightful owners, on the other hand, can only physically pull the network plug.

This is easy if the affected server is in its own server room, difficult if an affected company has the server operated in some data center on another continent.

Microsoft itself found out in its analysis that the attackers initially used the loophole indiscriminately to get a virtual foot in the door as long as it was not closed by an update.

The hackers then set about copying and analyzing e-mail accounts.


According to Microsoft, the goal was US research institutions with projects on the corona pandemic as well as universities, large law firms, companies in the defense industry, think tanks and NGOs.

According to Microsoft, the bug was discovered by IT security researchers at Volexity in the US state of Virginia at the beginning of January.

The Volexity researchers warned Microsoft - and found out that the Chinese hackers had already been reading the e-mails as inconspicuously as possible and in a few carefully selected companies and US government organizations since at least January 6th.

"Malware installed for long-term persistence"

Volexity then warned affected US organizations that they would take their servers off the network.

Microsoft also responded covertly and began working on an update for its Exchange program.

But at the end of February, the hackers also realized that they had been noticed - and promptly started a worldwide automated search for vulnerable servers.

At this point in time, they no longer had to remain inconspicuous, instead they wanted to use the remaining time until an update to compromise as many servers worldwide as possible and to leave their own software behind, which remains active even after the updates.

“In the observed attacks, this was used to gain access to the e-mail accounts and install additional malware for long-term persistence,” warns the BSI of the victims.

The only thing left to do is to take the server off the network, examine it forensically and, if there is a mere suspicion, set up the entire software again.

At least that is what the Cybersecurity and Infrastructure Security Agency (CISA), the US counterpart to the BSI, recommends to potential victims.

Microsoft has already provided a tool for this.

But that doesn't help those companies and organizations whose emails have already been read in China.

You now have to be prepared for the fact that your company secrets, information about current projects and future plans, legislative procedures or future product innovations are also known in China.

In the past, Chinese state hackers were usually out to investigate Western economic secrets in security incidents.

The hacking groups, most of whom belong to the Chinese military or who work alongside it, know exactly what they are looking for - Chinese companies also regularly benefit from the information from the hacks, in recent years in the areas of the chip industry, the armaments industry and raw material exploration.