Suspected Chinese hackers took advantage of Microsoft Exchange vulnerability to steal call records

Chinese hackers are still swiping call records.
Two cellphone towers are seen on top of a building in Beijing on September 24, 2020. (Photo by NICOLAS ASFOURI/AFP via Getty Images)

Hackers with ties to China took advantage of vulnerabilities in Microsoft Exchange for several months starting in late 2020 to steal call logs from a Southeast Asia telecommunication company, researchers at Cybereason report.

The White House last month formally blamed Chinese government-affiliated hacking group HALFNIUM for a massive hacking campaign exploiting vulnerabilities in Microsoft Exchange servers, a kind of mail technology. Cybereason found that the groups targeting the unnamed Southeast Asian telecom had access to the same vulnerability for months prior to Microsoft’s disclosure.

The new findings build on a 2019 report from Cybereason, in which investigators identified a long-running hacking campaign that breached about 10 cellular providers in Africa, Europe, the Middle East, and Asia. Now researchers can say that not only has that group not let up, but that they are now also joined by two more groups tied to Chinese intelligence conducting the same kinds of operations.

The three clusters of activity detailed in the report had evaded detection since at least 2017, according to the research. Given the focus on the same target and the overlap in tactics, it appears likely that all three groups were working in the interest of the Chinese government, says Assaf Dahan, head of threat research at Cybereason.


Dahan says it’s likely that the hackers accessed hundreds of gigabytes, if not terabytes, of data from the cellular provider. That could amount to hundreds of thousands of call records. Most likely, however, the hackers sought a handful of select targets of interest to the Chinese government, such as political dissidents.

While there are a number of ways for foreign governments to conduct espionage against individuals, such as using spyware directly on a target’s phone, going straight after the telecom providers can make the activity harder to detect, says Dahan.

“It will be very difficult to understand who were the actual targets because it’s not like they’re attacking the end-users,” says Dahan. “They’re attacking the provider. It makes attribution harder.”

While the hackers have primarily targeted Asian telecom providers, the attacks could be recreated against providers in other regions, Dahan notes.

Tonya Riley

Written by Tonya Riley

Tonya Riley covers privacy, surveillance and cryptocurrency for CyberScoop News. She previously wrote the Cybersecurity 202 newsletter for The Washington Post and before that worked as a fellow at Mother Jones magazine. Her work has appeared in Wired, CNBC, Esquire and other outlets. She received a BA in history from Brown University. You can reach Tonya with sensitive tips on Signal at 202-643-0931. PR pitches to Signal will be ignored and should be sent via email.

Latest Podcasts