Microsoft Corp. and U.S. government officials are still working to understand how a network of suspected Chinese hacking groups carried out an unusually indiscriminate and far-reaching cyberattack on Microsoft email software, more than a month after the discovery of an operation that rendered hundreds of thousands of small businesses, schools and other organizations vulnerable to intrusion.
A leading theory has emerged in recent weeks, according to people familiar with the matter: The suspected Chinese hackers mined troves of personal information acquired beforehand to carry out the attack.
Such a method, if confirmed, could realize long-held fears about the national security consequences of Beijing's prior massive data thefts. And it would suggest the hackers had a higher degree of planning and sophistication than previously understood.
"We face sophisticated adversaries who, we know, have collected large amounts of passwords and personal information in their successful hacks, " said Anne Neuberger, President Biden's deputy national security adviser for cyber and emerging technology. "Their potential ability to operationalize that information at scale is a significant concern."
Soon after the hack on computer systems using Microsoft Exchange Server was discovered in March, senior national security officials in the Biden administration recognized it as a major international cybersecurity problem.
The White House assembled an interagency task force that included private-sector partners, such as the Redmond, Wash., tech giant and cybersecurity companies, to quickly share information and develop security patches for the affected Exchange Server customers.
Among the potential sources of the personal data is China's vast archive of likely billions of personal records its hackers stole over the past decade. The hackers may have mined that to discover which email accounts they needed to use to break into their targets, according to people familiar with the matter.
Another theory under investigation: The hackers scanned social-media sites like LinkedIn to determine which email accounts corresponded to systems administrators and were therefore likely the ones to use in the attack. A third: The hackers may have been simply lucky, breaking into systems using a default administrator email address.
The attack on the Exchange Server systems began slowly and stealthily in early January, launched by a hacking group dubbed Hafnium that has targeted infectious-disease researchers, law firms and universities in the past, cybersecurity officials and analysts said. The operational tempo picked up dramatically, as other China-linked hacking groups became involved, infecting thousands of servers, while Microsoft scrambled to send its customers a software patch in early March.
Microsoft and other security companies have publicly linked the Exchange Server attack to groups believed to be based in China. The Biden administration hasn't publicly attributed the hack to any group, and China has denied involvement.
But officials at Microsoft and within the Biden administration remain puzzled by how the suspected Chinese actors were able to pull off such a global operation so rapidly, said Tom Burt, Microsoft's vice president of customer security and trust, in an interview.
The attackers exploited a set of previously unknown bugs to infiltrate Exchange Server systems and target a range of the systems' users. But to do that, the hackers had to know the email accounts of the respective networks' system administrators, Mr. Burt said.
A theory soon emerged that the hackers were relying on personal information that led them to the system administrators' email account names, whether mined in previous hacks, or scraped from publicly available social-media sites like LinkedIn.
"That could be from big hacks of big data sets. It could also be that they have big teams of people who are focused on doing the social research to try to build out these data sets," Mr. Burt said. "Who knows?"
In 2015, the Obama administration discovered that hackers linked to China breached the U.S. Office of Personnel Management, the human-resources office for the U.S. federal government. The hackers pilfered millions of government background investigation records dating back 20 years, gaining detailed information on current and former U.S. government employees and their families.
Beijing has also been implicated in scores of hacks of enormous databases of personal information from corporations in the U.S. and overseas, such as Marriott International Inc. and the credit-reporting company Equifax Inc.
Additionally, many Exchange Server systems use the default administrator account, "administrator@" followed by the network's domain name, creating another path for the hackers to exploit.
As the code used in the Exchange Server attacks was made public, security experts and U.S. officials urgently warned that criminals would leverage that code in a second massive wave of cyberattacks.
But the feared wave of attacks wasn't as severe as anticipated, according to investigators. Those hackers wouldn't likely have had access to the personal information, giving credence to cybersecurity officials' theory that the Chinese hackers may have used extra information.
The number of potential victims was enormous. On March 9, the cybersecurity company Palo Alto Networks Inc. said it had identified 125,000 potentially vulnerable Exchange systems that hadn't been patched. By April 1, more than 90% of Microsoft's customers had patched their systems to address the vulnerabilities used in the attack, Mr. Burt said.
Microsoft has pushed its customers to install security patches over the past month, releasing a blizzard of more than 25 patches that covered the wide array of Exchange versions. At the Biden administration task force's urging, the company also simplified the updating process for customers, releasing a "one-click patch" option. In meetings, the group has discussed possibilities for how the attack was pulled off without reaching consensus on any one theory, Mr. Burt and others said.
In all, the China-linked hackers are estimated to have infiltrated as many as 20,000 servers, according to an estimate by Symantec, the security division of Broadcom Inc. But because Microsoft has only limited access to data about Exchange servers running within its customer data centers, the full scope of the attack may never be known, Mr. Burt said.