The formal legal attribution of Silk Typhoon to Chinese state intelligence confirms that the 2020–2021 Exchange exploitation campaign was directed espionage, not opportunistic crime. Organizations in research, biotech, defense contracting, or government that operated Exchange Server during that window face residual risk — persistent access via valid credentials or web shells may not have been detected or fully eradicated. Regulatory exposure is highest for organizations subject to research data protection obligations or federal contracting cybersecurity requirements (CMMC, FISMA), where undetected historical compromise carries both compliance and reputational consequences.
You Are Affected If
You ran Microsoft Exchange Server 2019 or earlier in production between February 2020 and June 2021
Your Exchange environment was internet-facing without WAF or IPS during that window
You have not conducted a post-ProxyLogon/ProxyShell forensic review of IIS logs and Exchange virtual directories
Your organization operates in a sector targeted by Silk Typhoon: COVID-19 research, biotech, defense, law firms, or government
You have not rotated service account credentials associated with Exchange since early 2021
Board Talking Points
A U.S. court has formally tied the Chinese government's intelligence service to a 2020–2021 cyberattack campaign that compromised Microsoft Exchange servers at research and government institutions.
Organizations that ran Exchange Server during that period should commission a targeted forensic review of historical logs to confirm no persistent access remains — this should be completed within 30 days.
Without that review, organizations cannot rule out that Chinese state-sponsored actors retained access to email, research data, or internal systems — a risk with significant legal, regulatory, and reputational consequences.
CMMC / DFARS 252.204-7012 — organizations in the defense industrial base that ran Exchange during the campaign window may have an undetected breach affecting CUI (Controlled Unclassified Information), triggering reporting and remediation obligations
FISMA — federal agencies and contractors operating Exchange Server are required to assess and report confirmed or suspected compromise of federal information systems
