Apscitu Mail masthead.
Apscitu Mail motto.

Expert Email News Article tab.

Microsoft logo, Microsoft Exchange logo, Microsoft CEO Satya Nadella, China/Russia/India flags, hacker, the world, HACKED.

Doomsday II: The Massive Microsoft Email Data Breach Sequel



By Duane Thresher, Ph.D.          March 8, 2021

Only IT incompetent megacorporation Microsoft could have an oxymoron like Doomsday II, the sequel to the end of the world, in this case the sequel to The Doomsday Microsoft Government Email Data Breach. But perhaps it should be seen as taking doomsday on the road. The first Microsoft email doomsday data breach destroyed U.S. Government IT and the sequel is being called a global crisis, having also destroyed the IT of foreign governments and institutions. At least the IT incompetent media realized this time that it was Microsoft's fault — they call it the Microsoft Exchange Cyberattack — which they didn't last time. The first Microsoft email doomsday data breach was due to Microsoft's Outlook email, in all its various guises, and this sequel Microsoft email doomsday data breach is due to Microsoft's Exchange, which is their email server. Here I explain all this and how they are related.

Of course, all the U.S. government and media can do is play the blame game because being IT incompetent they can't find any real proof. During the first Microsoft email doomsday data breach most, particularly in the federal government, said it was done by Russia, but with this sequel Microsoft email doomsday data breach most say China, based solely on what blame-shifting IT incompetent Microsoft says. The White House has ordered the same notorious IT incompetent federal agency, the Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA), that itself was hacked in the first Microsoft email doomsday data breach to fix this sequel Microsoft email doomsday data breach. IT incompetent CISA just says to do whatever Microsoft says to do, the same IT incompetent Microsoft that allowed both doomsday data breaches to happen in the first place. That would make this doomsday sequel a comedy, not a drama.

I explained in The Doomsday Microsoft Government Email Data Breach how that hacking was due to IT incompetent Microsoft's Outlook email, in all its various guises. This hacking sequel was due to IT incompetent Microsoft's Exchange, which is an email server Microsoft makes (a server is just a computer running software that provides a service, like email). The difference is that while one guise of Microsoft Outlook is an email service run by Microsoft, Microsoft Exchange is an email server Microsoft makes that can be run by an enterprise, such as a department of the U.S. Government. This was one reason why in The Doomsday Microsoft Government Email Data Breach I explained it was sometimes hard to know if a federal department was using Microsoft email, in some way or another.

To make matters more convoluted — and making the two Microsoft email doomsday data breaches definitely related — Microsoft originally made accessing an Exchange email server a proprietary protocol (for monopolistic reasons, Microsoft loves these), and made Microsoft Outlook one of the only email clients that could do this. Further, the Outlook email service run by Microsoft is itself a Microsoft Exchange email server.

Microsoft's Exchange email server has been integrated with Microsoft Windows Server, which acts as the operating system for many enterprise computers. So, once a Microsoft Exchange email server has been hacked, it is easy to hack the operating system — particularly since many services use email login authentication as their login authentication — of many computers. Once a computer's operating system has been hacked, the computer is "owned" by the hackers. They install, as part of the operating system, software such as root kits (see Equifax Dead: Hacked So Credit Reports Worthless) that make it impossible to detect any evidence of the computer having been hacked — so absence of evidence is not evidence of absence, particularly by IT incompetent investigators — and that provides permanent secret access to the computers by the hackers. The only fix is to completely erase all hard drives involved and start over from scratch. Backups cannot be used because it cannot be known when the hackers hacked the system and installed their software. Truly a doomsday data breach.

Even the U.S. Government considers this sequel a doomsday data breach, starting with the White House, which besides threatening war on China, issued unprecedented public statements about how bad the data breach was and ordered the federal government to do whatever is necessary to fix it. The agency the White House put in charge of this fix is the Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA). But as I explained in The Doomsday Microsoft Government Email Data Breach, the IT incompetent DHS, including the CISA, was one of the many federal departments and agencies that was hacked during the first Microsoft email doomsday data breach, and probably still unknowingly is hacked, as explained. If they couldn't even protect themselves against the same kind of hacking during the first Microsoft email doomsday data breach, how are they going to protect the rest of the federal government during this sequel Microsoft email doomsday data breach? The only thing IT incompetent CISA has done is to direct the rest of the federal government to do whatever Microsoft tells it to do, the same IT incompetent Microsoft that allowed both doomsday data breaches in the first place.

(I wrote about the Cybersecurity and Infrastructure Security Agency in Handing Over America's Electrical Grid to the Russians and there have been some important developments with CISA, particularly its IT incompetent personnel and its responsibility to protect against hacking of the 2020 presidential elections, which, it should be noted, came after the federal government had already been hacked during the first Microsoft email doomsday data breach. I will write about these developments in a later article.)

What Microsoft says to do about this sequel Microsoft email doomsday data breach is on a single webpage of its security blog, which is mostly about damage control to Microsoft's reputation, as will be explained. The only fix Microsoft offers is some patches to apply to its Exchange software to prevent being hacked in the first place. But as explained, it is already too late for that, the hacking has been done and thousands of computers worldwide are owned, undetectably so, by the hackers. It's shutting the barn door after the horses have run out, or perhaps more appropriate in this case, after the Trojan Horses have run in. It's a doomsday data breach, the only fix is to completely erase all the hard drives and start over from scratch.

As I explained in The Doomsday Microsoft Government Email Data Breach, as part of their effort to hide their IT incompetence, the IT incompetents — in this case the U.S. Government and Microsoft — always claim that their data breaches were "sophisticated" hackings (see Data Breaches on Stop IT Incompetence) done, as supposedly only such a "sophisticated" hacking could be, by a foreign government. Right from the title of Microsoft's security blog webpage, HAFNIUM targeting Exchange Servers with 0-day exploits, Microsoft is trying to repair its reputation this way.

A "0-day exploit" is a software security vulnerability that is unknown to anyone but a single hacker and has never been used before. There is thus no patch for it and when it is first used it is highly effective. They are thus very valuable and closely-held secrets until used the first time as widely (massively) as possible. In competently coded software, they should be rare and very hard to find, only by teams of expert government hackers.

HAFNIUM is the name given by Microsoft to the hackers, who they claim — a claim that could start a war — are associated with the Chinese government. By giving the hackers a name (a government research sounding one; hafnium is an element used in nuclear reactors), Microsoft makes it sound like they have dealt with them successfully before, so everything will be fine this time too.

The Microsoft Exchange software had 4 (!) of these supposedly-rare so-called 0-day exploits — labeled starting with CVE, for Common Vulnerabilities and Exposures — and there is evidence that other non-HAFNIUM hackers had already used them. No, this wasn't a sophisticated hacking, just incompetently-coded insecure software, done by Microsoft's cheap IT incompetent programmers from India; see The Doomsday Microsoft Government Email Data Breach.

Also on Microsoft's security blog webpage, and as I explained in The Doomsday Microsoft Government Email Data Breach, Microsoft discreetly admits to also providing the hackers with their domestic (to avoid suspicion) hacking command-and-control servers via leasing them some Microsoft cloud computers. Microsoft is one-stop shopping for hackers: both IT incompetent insecure software and the hardware to exploit it.

Most of what Microsoft has said about the Microsoft email doomsday data breaches has been to the media and been just reputation damage control, which for such massive data breaches must be done by the top people. With Microsoft founder and former CEO, Chairman, and President Bill Gates essentially retired, the top people at Microsoft are CEO Satya Nadella, Chairman John Thompson, and President and Chief Legal Officer Brad Smith. As CEO and the top guy with the most IT education, such as it is, Satya Nadella should be the frontman, but he himself is a foreigner, from India, and suspect in these doomsday data breaches; see The Doomsday Microsoft Government Email Data Breach. Chairman John Thompson only has business degrees and is an African-American with very close ties to the Democratic Party and government officials so can't be put up to ridicule. That leaves President Brad Smith to do all the talking. Smith is a white guy born in Milwaukee, Wisconsin, where Satya Nadella got a degree from bottom-ranked University of Wisconsin – Milwaukee. Smith only has degrees in public affairs and law, but this at least qualifies him for speaking deceitfully to the public via the media in order to do reputation damage control.

The IT incompetent media just repeats what Microsoft tells them, sometimes just mentioning the Microsoft security blog webpage to make it seem like they have some IT expertise and have done some research.

Much of the American reporting on this sequel Microsoft email doomsday data breach — the media missed the first one — was based on a Bloomberg News article by William Turton and Jordan Robertson. Foolishly, the article quotes Alex Stamos as their cybersecurity expert. Alex Stamos was (Mar 2014 – Jun 2015) CISO of Yahoo during their two massive data breaches (late 2014) that compromised 500 million and 1 billion user accounts. Then Stamos was (Jun 2015 – Aug 2018) CISO of Facebook during its massive data breach (Jul 2017 – Aug 2018) that compromised 50 million user accounts. See Yahoo-Then-Facebook CISO Alex Stamos Allows Yet Another Massive Data Breach.

Jordan Robertson is the cybersecurity reporter for Bloomberg but only has a bachelor's in journalism from a low-ranked California college and a master's in filmmaking from "No Free Speech" University of California, Berkeley. He plays second fiddle to article first author William Turton, who may not even be old enough to have gone to college.

William Turton was hailed as a tech reporter wunderkind, particularly about cybersecurity, when just a few years ago as a teenager he was writing about video game playing and "broke" a story about "hackers" briefly taking down the Sony PlayStation and Microsoft Xbox Live networks, as part of a marketing scheme. The IT incompetent media is full of IT incompetent older people who think young people must inherently be IT experts, which is exactly wrong since becoming an IT expert takes years of study at good universities and then years of IT experience. So now a leading national news source, Bloomberg, is letting a foolish kid write influential stories about national security that could lead to war.

If this sequel wasn't such a real tragedy, it would indeed be a comedy.