Estimates on the number of victims hit by Microsoft cyberattacks by alleged Chinese government-backed hacking group «Hafnium» has soared to at least 60,000, extending its reach to even the financial sector.

The European Banking Authority was the latest entity to admit that it was a victim of Hafnium’s attacks on Microsoft’s email servers, stressing that investigations thus far indicate that the breach has not resulted in data extraction.

«The EBA investigation is still ongoing and we are deploying additional security measures and close monitoring in view of restoring the full functionality of the email servers,» it said in a statement.

«At this stage, the EBA email infrastructure has been secured and our analyses suggest that no data extraction has been performed and we have no indication to think that the breach has gone beyond our email servers.»

Hafnium: Made in China?

Last week, security researcher Brian Krebs first reported the attack on the email software – Microsoft Exchange Server – calling it «unusually aggressive» and equipped with tools that provide «total, remote control over affected systems».

Separately, Maryland-based security firm Huntress said that victims included not only «less than sexy» mid-market victims but also city and county governments, healthcare providers, banks and financial institutions. 

Earlier this month, Microsoft had already come out to admit the attacks and blamed China not only for housing the operations but also for sponsoring them. Chinese officials have publicly denied the accusations.

U.S. Response

In response, the Biden administration is launching an emergency task force to deal with the «active threat», according to White House press secretary Jen Psaki in a briefing last week, describing the breach as a «significant vulnerability that could have far-reaching impacts».

The task force will involve a multi-agency effort that reportedly includes the FBI, the Cybersecurity and Infrastructure Security Agency (Cisa) and others.