It’s looking like the exploitation of critical Exchange flaws that Microsoft revealed at the start of the month could be much worse than folks first suspected.

Six advanced criminal hacking groups, thought to have some level of state sponsorship, used the zero days to attack government and industry sites before the flaws were patched. At the time, Microsoft claimed that only one Chinese-based hacking group, dubbed Hafnium, had illicitly exploited the dodgy code.

It appears five other groups – Tick, followed by LuckyMouse, Calypso, Websiic, and the Winnti Group – got in on the game before patches were released, although the latter (used it just hours before the Microsoft announcement. And the timeline for this opens up some interesting possibilities, particularly in light of reports that the flaws were leaked from a February 23 alert sent by Microsoft to key security partners worldwide.

DEVCORE hacker found first Exchange bug on December 10, and had weaponized it to an admin-level RCE by New Year’s Eve. After the January 5 notification to Microsoft he and the Redmond team finalised the draft report by February 18. It was sent on the 23rd, and five days later the second wave of attacks kicked off.

Either a state-sponsored team found and exploited the flaws – probably for a while before someone else found them – and then shared them out to similar groups. As a second possibility, DEVCORE or Microsoft’s security team was penetrated, or finally, there’s a possibility that one or more of Redmond’s security partners is feeding information to the enemy.