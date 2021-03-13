A Chinese government-sponsored cyberattack targeted government of Guam agencies earlier this week, governor's chief technology officer Frank Lujan confirmed Friday evening.

The cyberattack exploited a vulnerability in Microsoft's email software, said Lujan. Nearly 60,000 other organizations across the globe were affected by this cyberattack, he said.

Lujan said the attack was a state-sponsored hacking on behalf of China.

He said the good news is none of GovGuam's sensitive information was compromised. Lujan said GovGuam's federal cybersecurity agency partners provided the tools "to look for what they call indicators of compromise – IOCs – and we ran those scripts and found no indicators, which is a good thing," Lujan said.

"It's a state-sponsored attack; it did come from China and they are looking for what's called – well any kind of information to exploit within the emails."

He said the U.S. Department of Homeland Security alerted GovGuam to the cyberattack which began on Tuesday. GovGuam shut down servers while a patch from Microsoft was being installed to plug the "hole," or vulnerability.

The Department of Revenue and Taxation, the Department of Public Health and Social Services, the Department of Administration and the Office of Technology were among the agencies that were targeted, Lujan said

A total of 15 of GovGuam's internet domains and email servers GovGuam-wide were shut down as precautions and while security patches were being installed, he said.

"We took down our email server on Tuesday afternoon, ... and we actually just came back up (Friday) morning around 9:30," Lujan said.

"Now the system is back up and running and there's no anticipation to ... stop the servers for any additional remedies. There aren't any other vulnerabilities that we're aware of."

Microsoft security patches

On March 4, Microsoft announced on its website it has detected attacks on certain versions of the Microsoft Exchange Server that needed security patches.

"In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments," Microsoft stated.

The Microsoft Threat Intelligence Center "attributes this campaign with high confidence to Hafnium, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures," according to the company.

"Hafnium primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs," Microsoft stated.

KrebsOnSecurity, a cybersecurity company, reported that Microsoft’s initial advisory about the Exchange flaws credited Reston, Virginia-based Volexity for reporting the vulnerabilities. KrebsOnSecurity quoted Volexity President Steven Adair as having said that over the past few days the hacking group has shifted into high gear, moving quickly to scan the internet for Exchange servers that weren’t yet protected by the security updates Microsoft released Tuesday.