Microsoft: Foreign Governments Backing Log4j Hackers


Hackers backed by China and other nations are part of an increasing cohort looking to expose weaknesses in computer server software, according to Microsoft and cybersecurity experts.

As The Wall Street Journal reported on Wednesday (Dec. 15), the fact that these cyberattackers have government backing highlights the seriousness of the vulnerability in Log4j software, which has led to more than 840,000 attacks on companies in the last five days. Security experts told the Journal that it could lead to serious attacks, including ransomware.

“The effects of this vulnerability will reverberate for months to come — maybe even years — as we try to close these doors and try to hunt down all the actors who made their way in,” said John Hultquist, vice president of intelligence analysis at the U.S.-based cybersecurity firm Mandiant Inc.

Read more: Log4j Vulnerability Causes Nearly 900K Cyberattacks in Four Days

The vulnerability in the widely-used Log4j software allows hackers to force computers to download software. In many cases, these hackers had been able to take over computers and force them to mine bitcoin, or made them part of botnet networks that overwhelm websites with spam or traffic.

Jen Easterly, director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, has called the vulnerability “one of the most serious,” if not the most serious, she has seen. She said the hack could affect hundreds of millions of devices.

“To be clear, this vulnerability poses a severe risk,” Easterly said earlier this week. “We will only minimize potential impacts through collaborative efforts between government and the private sector. We urge all organizations to join us in this essential effort and take action.”

According to The Wall Street Journal, both Microsoft and Mandiant said hackers linked to the governments of Iran and China have carried out attacks exploiting the Log4j flaw. On its website on Wednesday (Dec. 15), Microsoft also noted that it had seen North Korea and Turkey-backed hackers using the attack. Some attackers seemed to just be experimenting, while others were using the flaw to break into online targets.