Krebs and Wired report that the attack was carried out by Hafnium, a Chinese hacking group. While Microsoft hasn’t spoken to the scale of the attack, it also points to the same group as having exploited the vulnerabilities, saying that it has “high confidence” that the group is state-sponsored.
According to KrebsOnSecurity, the attack has been ongoing since January 6th (the day of the riot), but ramped up in late February. Microsoft released its patches on March 2nd, which means that the attackers had almost two months to carry out their operations. The president of cyber security firm Volexity, which discovered the attack, told Krebs that “if you’re running Exchange and you haven’t patched this yet, there’s a very high chance that your organization is already compromised.”
Both the White House National Security Advisor, Jake Sullivan, and former director of the Cybersecurity and Infrastructure Security Agency Chris Krebs (no relation to KrebsOnSecurity) have tweeted about the severity of the incident