Republican Governors Association Targeted in Exchange AttacksBreach Notification Report Reveals Some PII Could Have Been Exposed
The Republican Governors Association was one of several U.S. organizations targeted in March when a nation-state group took advantage of vulnerabilities in Microsoft Exchange email servers, according to a breach notification letter filed with the Maine attorney general's office this week.
In the copy of the breach notification letter sent to those Maine residents affected by the incident, the Republican Governors Association notes that some of the personally identifiable information of about 500 people in total associated with the organization could have been exposed.
The exposed data includes names and Social Security numbers, according to the letter.
The Republican Governors Association letter also notes that the investigation into the breach remains open and it's not clear from the information gathered so far what specific data may have been exposed or stolen during the attack.
"RGA is unable to determine what personal information, if any, was impacted as a result of the incident," according to the letter, which is signed by Dave Rexrode, the executive director of the association. "However, on June 24, 2021, RGA determined that your personal information was in the impacted portion of RGA's email environment at the time of the incident and may have been accessible to the threat actor(s) as a result."
The Republican Governors Association, which is based in Washington, D.C., supports and helps elect Republican governors and candidates. A spokesperson for the nonprofit could not be immediately reached for comment on Thursday.
The Republican Governors Association was first notified about the potential breach on March 10, and it appears that the attackers had access to the organization's networks between February and March, according to the letter.
On March 4, Microsoft released emergency patches for four flaws in certain versions of the company's on-premises Exchange email servers. These vulnerabilities were later identified as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065, according to security researchers.
Some security researchers, including analysts at Volexity, believe that the attacks may have started as early as January when the security firm spotted CVE-2021-26855 being exploited in the wild (see: Exchange Server Attacks Spread After Disclosure of Flaws).
Later, security researchers estimated that thousands of organizations across the U.S., especially smaller businesses and government agencies that continued to rely on on-premises versions of Exchange for email servers, had been targeted. Other countries also reported incidents related to these attacks (see: Hackers Exploit Exchange Flaws to Target Local Governments).
Microsoft later attributed the attacks to a threat organization that the company calls Hafnium. In July, the Biden administration formally accused a group working for China's Ministry of State Security of carrying out these attacks against vulnerable Exchange servers (see: US: Chinese Government Waged Microsoft Exchange Attacks).
And while the initial wave of attacks associated with the Exchange vulnerabilities appears to be the work of China's MSS, researchers later found that other groups then began exploiting the bugs for their own means, including launching ransomware attacks.
While the Chinese threat group was probably not targeting the Republican Governors Association specifically, China's intelligence agencies are likely to have taken any personal or sensitive data gleaned from the attack and added the information to various databases that the country has developed over time to track certain individuals, says Austin Berglas, who formerly was an assistant special agent in charge of cyber investigations at the FBI's New York office.
"China has probably collected personal information on the majority of American citizens. Connecting all of these data points, obtained from countless successful data breaches, in a massive database can be used for corporate espionage, blackmail and intelligence on high-ranking government officials," says Berglas, who is now global head of professional services at cybersecurity firm BlueVoyant. "Small, medium or large companies - it does not matter - the end game is a massive intelligence collection operation aimed at building a social, economic and political advantage over the United States."
Since the attack was discovered in March, the Republican Governors Association notes that the organization has applied the patches that Microsoft issued for the vulnerable versions of its on-premises Exchange server. Law enforcement and other agencies have been notified as well, according to the letter.
Credit monitoring services are also being offered to the approximately 500 people affected by the attack, the letter notes.
"Out of an abundance of caution, RGA is also offering you two years of complimentary credit monitoring and identity restoration services with Experian," according to the letter. "RGA has also notified the Federal Bureau of Investigation, certain state regulators, and the consumer reporting agencies of this incident as required."