CISA orders US agencies to address Microsoft flaws exploited by suspected Chinese hackers

Agencies have until Friday to report back to CISA on their level of exposure.
(Photo by Cindy Ord/Getty Images)

The Department of Homeland Security’s cybersecurity division on Wednesday ordered federal civilian agencies to address flaws in a popular email software program at the center of a suspected Chinese spying campaign.

The “emergency directive” from DHS’s Cybersecurity and Infrastructure Security Agency requires agencies to either apply security fixes for the vulnerabilities in the Microsoft Exchange Server software, or, if a compromise is found, to disconnect the program until it can be securely reconfigured.

The CISA order comes a day after Microsoft revealed that China-based hackers were using the previously unknown software bugs to steal data from select targets. The hacking group, called Hafnium, has previously tried to breach U.S.-based infectious disease researchers, defense contractors and educational institutions, Microsoft said.

The suspected Chinese hackers used one of the vulnerabilities to “steal the full contents of several user mailboxes,” according to Volexity, a cybersecurity firm that investigated the breaches.


Exchange Server is used in the federal government, and the email correspondence of U.S. officials is coveted material for foreign spies.

It’s unclear if any federal agencies have been breached in the campaign, but the CISA directive underscores the urgency of the threat. CISA cited the “likelihood of widespread exploitation of the vulnerabilities after public disclosure and the risk that federal government services to the American public could be degraded.”

There were signs on Wednesday that additional exploitation of the vulnerabilities was well underway. Jon Hencinski, an executive at security firm Expel, said he had seen “automated exploitation of Internet-facing Exchange servers” using one of the vulnerabilities.

Agencies have until Friday to report back to CISA on their level of exposure.

CISA has only issued a handful of emergency  directives in its two-year existence, but the agency has increasingly employed the authority in the face of critical bugs in software used by the federal government. CISA in September ordered agencies to address a critical vulnerability in a Microsoft protocol that hackers could use to steal sensitive data.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts