Chinese-Linked Hackers Repeatedly Exploit Microsoft Exchange in Azerbaijani Energy Firm Attack

Between late December 2025 and late February 2026, an unnamed Azerbaijani oil and gas company fell victim to a persistent, multi-wave cyber intrusion. Security researchers at Bitdefender have attributed the campaign with moderate-to-high confidence to FamousSparrow (also tracked as UAT-9244), a hacking group believed to have ties to China. This incident marks an expansion of the group's targeting into the energy sector, leveraging repeated exploitation of Microsoft Exchange vulnerabilities. Below, we answer key questions about the attack, the threat actors, and what it means for the industry.

1. What exactly happened in the Azerbaijani energy firm attack?

Between late December 2025 and late February 2026, an unnamed oil and gas company based in Azerbaijan experienced a multi-wave intrusion carried out by a threat actor linked to China. The attackers repeatedly exploited Microsoft Exchange vulnerabilities to gain and maintain access to the firm's network. Over the two-month period, the hackers conducted multiple waves of compromise, suggesting a persistent and targeted campaign aimed at stealing sensitive data or conducting espionage. Bitdefender's analysis indicates the attacks were sophisticated and tailored to the energy sector.

2. Who is behind the attack and what is FamousSparrow?

Bitdefender attributes the campaign to FamousSparrow (also known as UAT-9244) with moderate-to-high confidence. FamousSparrow is a hacking group that has been active since at least 2019, known for targeting hotels, governments, and now energy companies. The group is believed to have affiliations with China, though attribution remains complex. FamousSparrow typically exploits vulnerabilities in Microsoft Exchange, SharePoint, and other enterprise software to breach networks. Unlike ransomware gangs, they focus on stealthy, long-term access for data theft and intelligence gathering.

3. Why was an Azerbaijani oil and gas company targeted?

Azerbaijan is a significant energy exporter, particularly in oil and gas, making its firms attractive targets for espionage and intellectual property theft. The timing of the multi-wave intrusion suggests the attackers sought to gather strategic intelligence, possibly related to energy markets, infrastructure, or geopolitical negotiations. Targeting an unnamed Azerbaijani company also signals an expansion of FamousSparrow's focus from hospitality and government to critical energy infrastructure, which often has weaker cybersecurity defenses compared to Western counterparts. China's interest in energy resources and technology further explains the targeting.

4. How did the hackers repeatedly exploit Microsoft Exchange?

The attackers used multiple waves of exploitation targeting known Microsoft Exchange vulnerabilities, including those that allow remote code execution and privilege escalation. By going undetected over two months, they likely used initial access to create backdoors, move laterally across the network, and deploy web shells. Repeated exploitation allowed them to re-enter if initial access was discovered, or to maintain persistence for data exfiltration. Bitdefender's report highlights that the group used a variety of techniques to evade detection, such as deleting logs and mimicking legitimate traffic.

5. How was the attack discovered and attributed?

Cybersecurity firm Bitdefender discovered the intrusion during a routine investigation or possibly after the victim company noticed suspicious activity. Through forensic analysis of network logs, malware samples, and infrastructure overlaps, researchers linked the attack to FamousSparrow with moderate-to-high confidence. Key indicators included custom web shells, command-and-control patterns, and overlap with previous FamousSparrow campaigns. Bitdefender's attribution relied on technical evidence such as MD5 hashes, domain names, and behavioral fingerprinting. The attack timeline from December 2025 to February 2026 suggests the breach went undetected for weeks.

6. What lessons can energy companies learn from this incident?

This attack underscores several critical lessons: First, patch management is vital—Microsoft Exchange vulnerabilities are frequently exploited, and unpatched systems invite intrusion. Second, energy firms should implement multi-layered defenses including network segmentation, strong monitoring, and incident response plans. Third, threat actors like FamousSparrow are expanding into energy, so companies must stay informed about evolving tactics. Finally, early detection reduces dwell time; deploying endpoint detection and response (EDR) tools and conducting regular security audits can help. The multi-wave nature of this attack shows that a single remediation may not be enough—persistent threats require continuous vigilance.