UK Government Connects 2021 Electoral Commission Cyberattack to Exchange Server Vulnerability

Did you know that the United Kingdom’s Electoral Commission was hacked in August 2021? This breach occurred because the commission failed to patch its on-premise Microsoft Exchange Server against ProxyShell vulnerabilities. In simple terms, they didn’t update their security software and left the door wide open for hackers.

According to the U.K. National Cyber Security Centre (NCSC), the breach was the work of a Chinese state-backed threat actor. The hackers exploited a series of security flaws (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) to gain access to the commission’s Exchange Server 2016 and install web shells and backdoors, which allowed them to maintain control over the system.

Even though Microsoft released security updates in May 2021 to fix the ProxyShell vulnerability chain, the commission failed to act quickly, leaving their systems exposed to attacks.

The breach was discovered on October 28, 2021, when an employee noticed that the Commission’s Exchange server was being used to send spam emails. By the time the breach was discovered, the Chinese hackers had already accessed the personal information of around 40 million people, including their names, home addresses, email addresses, and phone numbers.

While the commission tried to downplay the impact by saying “much of it is already in the public domain,” only voters’ names and addresses are publicly available in the U.K. open register.

The Information Commissioner’s Office (ICO) had some strong words for the Electoral Commission, stating that they “did not have appropriate security measures in place to protect the personal information it held” and that there were insufficient password policies in place at the time of the attack. Many accounts were still using passwords identical or similar to the ones originally allocated by the service desk.

​A Wake-Up Call

Today, the ICO reprimanded the U.K. elections authority for failing to protect its systems and the personal information of millions of voters. The ICO’s Deputy Commissioner Stephen Bonner said that if the commission “had taken basic steps to protect its systems, such as effective security patching and password management, it is highly likely that this data breach would not have happened.”

However, Bonner also noted that the ICO has no reason to believe any personal information was misused since it was accessed in 2021 and has yet to find evidence that the breach has caused direct harm to impacted voters.

In August 2021, just days after the U.K. Electoral Commission breach was disclosed, Shodan revealed that it was tracking tens of thousands of Exchange servers vulnerable to ProxyShell attacks. This breach came after the U.K., the U.S., and their allies blamed China’s Ministry of State Security (MSS) for widespread attacks that hit tens of thousands of organizations worldwide in March 2021. MSS is linked to state-backed hacking groups tracked as APT40 and APT31.

So, what can we learn from this incident? It’s a stark reminder that even large organizations with access to vast resources can fall victim to cyberattacks if they don’t take appropriate precautions. It’s crucial to stay up-to-date with the latest security patches, enforce strong password policies, and always be on the lookout for potential threats.

Don’t let this happen to you. Keep coming back to learn more about cybersecurity best practices, and feel free to contact us for expert advice on how to protect your valuable data from cybercriminals.