The Republican Governors Association Admits That Its Exchange Server Got Pwned Earlier This Year

The Republican Governors Association email server was breached by state hackers. The RGA revealed in a data breach notification letter sent last week that its servers were breached during an extensive Microsoft Exchange hacking campaign that hit organizations worldwide in March 2021:

On March 10, 2021, RGA was alerted to an exploit in Microsoft’s Exchange Service email software. This was a widespread exploit at Microsoft that threat actor(s) utilized to attack companies across the globe. Once RGA learned of the exploit, it immediately launched an investigation, with the assistance of cybersecurity experts, into the nature and scope of the incident. As part of this investigation, RGA determined that the threat actors accessed a small portion of RGA’s email environment between February 2021 and March 2021, and that personal information may have been accessible to the threat actor(s) as a result.

The forensic investigation was unable to identify what personal information, if any, was impacted as a result of this incident. Out of an abundance of caution, RGA commenced a thorough data mining effort to identify potentially impacted individuals. Once impacted individuals were identified, RGA worked to identify addresses, prepare statutorily compliant notification deliverables, and engage a vendor to provide call center, notification, and credit monitoring services. RGA completed its extensive address search on September 1, 2021.

The address search determined that your state resident(s) had name in addition to one of the following accessible to the threat actor(s): Social Security number or payment card information.

Saumitra Das, CTO and Cofounder, Blue Hexagon had this to say about the attack:

The MS Exchange vulnerabilities affected a large number of organizations such as the RGA. Even after the vulnerabilities were announced several servers remained (1) Accessible to the general Internet, and (2) Unpatched. So the attacks likely continued for a long time after the original CVEs were published. In addition, organizations are typically not inspecting East-West internal network traffic and even North-South external traffic is inspected usually with a legacy threat or malware signature-based firewall. Post initial access, detection and response at the network and endpoint layer could potentially thwart such state-sponsored attacks.

It’s time for companies to alter how they defend their Exchange server so that attacks like this aren’t as effective.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: