The scale of a hack on Microsoft Exchange is beginning to emerge, with tens of thousands of organisations potentially compromised.
The attack used previously unknown flaws in the email software – and sometimes stolen passwords – to steal data from targets’ networks.
Microsoft says the attackers are “state-sponsored and operating out of China”.
And while it initially thought the number of attacks had been “limited”, it has since reported “increased use” of the tactics – probably because other hackers are piling in to take advantage of the now public vulnerabilities before systems are patched.
All this comes hard on the heels of the SolarWinds cyber-campaign, linked to Russia, that affected multiple US government departments and other organisations.
This time round, the companies and other bodies affected are apparently of less strategic importance.
But even so, the two attacks put the new Biden administration under pressure to respond.
And weary cyber-defenders say events are not just escalating but spiralling out of control.
Both Russia and China have denied any involvement.
US national security adviser Jake Sullivan tweeted the White House was “closely tracking” reports of the latest breach, a sign the administration wants to be seen to be taking the issue seriously.
One US senator has described the SolarWinds attack as an “act of war”.
Others have disagreed.
But it illustrates how rhetoric about cyber-campaigns is escalating, heightening pressure for tough action.
Although, it is unclear what effective options the president has.
And there are concerns his administration has boxed itself in with tough talk when it is unclear if it can actually deter adversaries.
The New York Times has reported US officials have said the “first move”, in the “coming weeks”, will be a series of clandestine actions on Russian networks.
These are likely to be coupled with economic sanctions and some kind of public attribution.
Telegraphing plans for clandestine attacks may seem a little odd.
But part of the point is to be seen to be responding.
“It is just an excuse to do nothing but look tough,” one cyber-security veteran says.
For its part, the UK is preparing to launch its own security-and-defence review, in which China is expected to feature.
It has said less than the US about the latest hack, although it is investigating its impact.
The US military’s Cyber Command has pursued a strategy in recent years of “defend forward” and “persistent engagement”.
This means hacking into adversary systems to find out what they are doing – and stopping operations against the US before they are unleased.
In the run-up to the 2018 mid-term elections, US military operators accessed the systems of Russian operators sending out propaganda targeting the elections.
They reportedly blocked internet access and sent messages to say the US knew what they were up to.
- EU bank authority hit by Microsoft email hack
- US warns of ‘active threat’ over Microsoft attack
- Microsoft slams SolarWinds ‘indiscriminate’ hack
This contesting of cyber-space was seen by many as long overdue.
But Russia and China appear undeterred.
One option now might be to hit back harder.
But escalation carries its own risks.
And critics are concerned attack continues to be given more priority – and resources – than defence.
Recent events also highlight challenges in the US strategy of trying to establish “norms” in cyber-space.
The US had considered espionage – stealing information – acceptable, because it practised it extensively, as whistleblower Edward Snowden revealed in 2013.
The problem for Washington is recent breaches may fit into the same category.
That leaves the US in a bind.
And it is seemingly reinterpreting its own red lines to say such action in fact requires a response.
But just because the US sets a particular red line, there is no reason others have to respect it.
Other nations frequently point to the fact the US says destructive cyber-attacks are unacceptable but was the first to cross that line a decade ago when it used the Stuxnet attack to destroy parts of the Iran nuclear system.
This all reflects a long-standing tension for the US in cyber-security.
It has always known more about cyber-space than anyone else – partly because it largely built it.
That meant it was able to take advantage of it in a way few others could, including for espionage.
But it has understood it was also more vulnerable than anyone else because it was the most advanced and digitally connected.
For years, the advantages outweighed the risks.
But now, other countries are proving not just able but willing to push harder and exploit digital dependencies.
And that has left US policymakers wrestling with how to respond.