Republican Governors Association email server breached by state hackers

The Republican Governors Association (RGA) revealed in data breach notification letters sent last week that its servers were breached during an extensive Microsoft Exchange hacking campaign that hit organizations worldwide in March 2021.

RGA is a US political organization and a tax-exempt 527 group that provides Republican candidates with the campaign resources they need to get elected as governors across the country.

SSNs and payment information exposed

Following an investigation started after March 10, “RGA determined that the threat actors accessed a small portion of RGA’s email environment between February 2021 and March 2021, and that personal information may have been accessible to the threat actor(s) as a result.”

Even though the RGA said that, at first, it wasn’t able to discover if any personal information was impacted, a subsequent “thorough data mining effort to identify potentially impacted individuals” revealed that names, Social Security numbers, and payment card information were exposed in the attack.

RGA discovered that individuals affected by this data breach had their personal information exposed on June 24 and completed its “data mining” efforts on September 1.

“Once potentially impacted individuals were identified, RGA worked to identify addresses and engage a vendor to provide call center, notification, and credit monitoring services,” RGA told impacted individuals in a breach letter sent on September 15.

“RGA is also offering you two (2) years of complimentary credit monitoring and identity restoration services with Experian. RGA has also notified the Federal Bureau of Investigation, certain state regulators, and the consumer reporting agencies of this incident as required.”

A Republican Governors Association spokesperson was not available for comment when contacted by BleepingComputer earlier today.

Abused for data theft, to deploy ransomware and cryptominers

The massive scale hacking campaign RGA refers to in its data breach notification letter targeted more than a quarter of a million Microsoft Exchange servers, owned by tens of thousands of organizations around the world.

The attackers exploited four zero-days (collectively known as ProxyLogon) in attacks targeting on-premises Microsoft Exchange servers in indiscriminate attacks against orgs from multiple industry sectors worldwide, with the end goal of stealing sensitive information.

Threat actors behind ProxyLogon attacks have also been observed deploying web shells, cryptomining malware, as well as DearCry and Black Kingdom ransomware payloads on hacked Exchange servers.

After Microsoft disclosed the attacks in early March, Slovak internet security firm ESET spotted at least ten APT groups attacking vulnerable Exchange servers.

Microsoft said at the time that the Chinese state-sponsored hacking group known as Hafnium was behind some of these attacks.

“Historically, Hafnium primarily targets entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs,” Microsoft said.

In July, the company’s attribution was confirmed when the US and allies, including the European Union, the United Kingdom, and NATO, officially blamed China for this widespread Exchange hacking campaign.

The Biden administration attributed “with a high degree of confidence that malicious cyber actors affiliated with PRC’s MSS conducted cyber espionage operations utilizing the zero-day vulnerabilities in Microsoft Exchange Server disclosed in early March 2021.”