Organizations in defense contracting, legal services, and healthcare research that ran unpatched Exchange Server during 2020 and 2021 may have had sensitive communications, intellectual property, and client data exfiltrated by a state-sponsored actor with no detectable ransom demand or disruption. The absence of immediate operational impact is the risk: MSS-affiliated espionage campaigns prioritize quiet, persistent access, meaning data theft may have occurred without triggering alerts. Downstream exposure includes potential regulatory scrutiny under DFARS/CMMC for defense contractors, litigation risk from compromised privileged legal communications, and research IP loss with long-term competitive consequences.
You Are Affected If
You operated Microsoft Exchange Server 2019 or earlier, internet-facing, between February 2020 and June 2021 without applying the March 2021 ProxyLogon emergency patches within days of release
Your Exchange IIS directories have not been audited for unauthorized ASPX webshells from the 2020-2021 period
Your organization operates in a sector targeted by Silk Typhoon: defense contracting, infectious disease research, law firms, or COVID-19 research institutions
Exchange administrative credentials active during the 2020-2021 window have not been rotated since that period
Your Exchange environment lacks network-layer monitoring capable of detecting anomalous outbound data transfer from mail infrastructure
Board Talking Points
A Chinese government-linked hacker has been extradited to the US for stealing data from defense contractors, law firms, and research institutions by exploiting Microsoft's email server software — the same attack method may have targeted your organization if you ran that software unpatched in 2020 or 2021.
Security teams should audit Exchange Server environments for signs of historic compromise and confirm all current patches are applied; this review should be completed within 30 days.
Organizations that do not investigate potential historic Exchange compromise risk discovering a long-standing breach during a regulatory audit or litigation, rather than on their own terms.
DFARS/CMMC — Defense contractors targeted by this campaign handle Controlled Unclassified Information (CUI) on Exchange infrastructure; a historic compromise may trigger CMMC incident reporting obligations
HIPAA — Infectious disease research institutions and healthcare organizations targeted in this campaign may have had protected health information (PHI) transiting Exchange Server during the intrusion window
