“This is an active threat,” White House Press Secretary Jen Psaki said Friday. “Everyone running these servers – the government, the private sector, academia – must act now to patch them.”
Later on Friday, the Cybersecurity and Infrastructure Security Agency stressed the risk in unusually common language and said in a tweet that the malicious activity, if left unchecked, could “enable a hacker to gain control of an entire corporate network.”
In a rare move, White House officials have urged private-sector organizations running localized installations of Microsoft Exchange server software to install more critical updates that were released in what information security experts described as an emergency update.
Pentagon Press Secretary John Kirby told reporters on Friday that the Department of Defense is currently working to determine if it has been adversely affected by the vulnerability.
“We are aware of it and we are assessing it,” Kirby said. “And that’s really as far as I’m able to go right now.”
But the malicious activity revealed this week is in no way related to the SolarWinds hack, Microsoft said Tuesday.
Microsoft typically releases software updates on the second Tuesday of each month. But in a sign of the threat of seriousness, Microsoft released patches addressing the new vulnerabilities – which had never been discovered until now – a week early.
‘We urge network operators to take it very seriously’
“We urge network operators to take it very seriously,” Psaki said of the directive. The administration is concerned there as a “large number of victims,” she added.
A person working in a think tank in Washington told CNN that both her work and personal email accounts were hit by the attackers. Microsoft sent her a warning that a foreign government was behind it. AOL sent a similar notification about the personal account.
The person was then visited by FBI agents who showed up at her front door and reiterated that this was in fact an ongoing, sophisticated hack by a foreign government and that a nationwide FBI investigation is underway.
The attackers had used their unauthorized access to the person’s email contacts, “tailored [the messages] in a way that the recipient will not doubt that I am the sender. The attackers’ fraudulent emails sent in the person’s name contained invitations to non-existent conferences, referring to an article in her name and a book in a colleague’s name, none of which were written by them.
Every message, the person said, came with links asking people to click on them.
The U.S. government’s unusual public response to the incident came as a surprise to many experts, a reflection of both the Biden administration’s focus on cyber issues compared to Trump’s White House as well as the scale of the threat.
CNN’s Michael Conte and Oren Liebermann contributed to this report.