The Republican Governors Association (RGA) disclosed in a data hijack notification letter sent last week that its servers were hijacked during a broad Microsoft Exchange Hacking Campaign that hit companies across the world in March 2021.

Republic Governors Association is a US political organization and a tax-exempt 527 group that facilities Republican candidates with the operational resources required to get elected as governors across the country.

How are the SSNs and Payment Data Revealed?

Going through the investigations initiated after March 10, “RGA decisive that the attackers accessed a small part of RGA’s email environment between February 2021 and March 2021, and that the personal data may have been accessible to the attacker(s) as an outcome.”

Although the RGA said that, initially, it was not able to found if any personal data was affected, a consequent “through the data mining effort to discover probably affected any person individually” revealed that names, Social Security numbers, and the transaction card information was revealed in the attack.

RGA found that people affected by this data breach had their personal information exposed on June 24 and completed its “data mining” efforts on September 1. “Once probably affected person were identified, RGA worked to discover the addresses and enlist a vendor to facilitate call center, notification, and credit monitoring services,” RGA told impacted individuals in a breach letter sent on September 15.

“RGA is also providing the individuals two years of complimentary credit monitoring and discover reclamation services with Experian. RGA has also alerted the Federal Bureau of Investigation, certain state regulators, and the consumer reporting agencies of this incident as required.”

A Republican Governors Association spokesperson was not available for comment when contacted by our experts earlier today.    

Exploit for Data theft, to Set the Ransomware and Cryptominers

An enormous scale hacking operation RGA refers to in its data hijack alert letter addressed more than a quarter of a million Microsoft Exchange servers, owned by tens of thousands of organizations around the world.

The attackers exploited four zero-days (collectively known as ProxyLogon) in attacks targeting on-premises Microsoft Exchange servers in indiscriminate attacks against orgs from multiple industry sectors worldwide, with the end goal of stealing sensitive information.

Threat actors behind ProxyLogon attacks have also been observed deploying web shells, cryptomining malware, as well as DearCry and Black Kingdom ransomware payloads on hacked Exchange servers.

After Microsoft disclosed the attacks in early March, Slovak internet security firm ESET spotted at least ten APT groups attacking vulnerable Exchange servers. Microsoft said at the time that the Chinese state-sponsored hacking group known as Hafnium was behind some of these attacks.

“Previously, Hafnium essentially targets items in the United States for the purpose of exfiltrating data from a number of industry sectors, which includes dangerous disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs,” Microsoft said.

The company’s attribution was confirmed when the US and allies in July, including the European Union, the United Kingdom, and NATO, officially blamed China for this widespread Exchange hacking campaign.

The Biden administration associated “with a high measure of confidence that malicious cyber actors affiliated with PRC’s MSS managed cyber surveillance operations utilizing the zero-day vulnerabilities in Microsoft Exchange Server disclosed in early March 2021.”