US warns China over state-sponsored hacking, citing mass attacks on Exchange

The flags of the US and China rippling on flagpoles on a windy day.
Getty Images | cbarnesphotography

The US government blamed the Chinese government on Monday for attacks on thousands of Microsoft Exchange servers.

China’s Ministry of State Security (MSS) “has fostered an ecosystem of criminal contract hackers who carry out both state-sponsored activities and cybercrime for their own financial gain,” US Secretary of State Antony Blinken said in a statement that blamed the MSS for the Microsoft Exchange hacks. The US government and its allies “formally confirmed that cyber actors affiliated with the MSS exploited vulnerabilities in Microsoft Exchange Server in a massive cyber espionage operation that indiscriminately compromised thousands of computers and networks, mostly belonging to private sector victims,” Blinken said.

Blinken’s statement was released alongside a Justice Department announcement that three MSS officers and one other Chinese national were indicted by a federal grand jury on charges related to a different series of hacks into the “computer systems of dozens of victim companies, universities, and government entities in the United States and abroad between 2011 and 2018.” Blinken said that the US “and countries around the world are holding the People’s Republic of China (PRC) accountable for its pattern of irresponsible, disruptive, and destabilizing behavior in cyberspace, which poses a major threat to our economic and national security.”

The US did not announce any new sanctions against China, but Blinken said the indictment is evidence that “the United States will impose consequences on PRC malicious cyber actors for their irresponsible behavior in cyberspace.”

Exchange zero-days

The Microsoft Exchange attacks have been public knowledge for over four months. “Tens of thousands of US-based organizations are running Microsoft Exchange servers that have been backdoored by threat actors who are stealing administrator passwords and exploiting critical vulnerabilities in the email and calendaring application,” we wrote on March 6.

At the time, Microsoft wrote that it “detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks” and that it “attributes this campaign with high confidence to Hafnium, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics, and procedures.” Microsoft issued emergency patches for four zero-day vulnerabilities in Exchange Server that were being exploited by hackers.

The attacks were unusual because six hacking groups exploited vulnerabilities before Microsoft issued a patch. Compromised Exchange servers were also hit with multiple types of ransomware.

Today, Blinken said, “Responsible states do not indiscriminately compromise global network security nor knowingly harbor cyber criminals—let alone sponsor or collaborate with them. These contract hackers cost governments and businesses billions of dollars in stolen intellectual property, ransom payments, and cybersecurity mitigation efforts, all while the MSS had them on its payroll.”

EU and UK condemn attacks

The European Union issued a statement today saying the attacks were “conducted from the territory of China for the purpose of intellectual property theft and espionage,” but it did not say the attackers were state-sponsored.

“We continue to urge the Chinese authorities to adhere to these norms and not allow its territory to be used for malicious cyber activities, and take all appropriate measures and reasonably available and feasible steps to detect, investigate and address the situation,” the EU said.

The United Kingdom’s statement today said, “The UK is joining like-minded partners to confirm that Chinese state-backed actors were responsible for gaining access to computer networks around the world via Microsoft Exchange servers.” Later in the release, the UK said its National Cyber Security Centre “is almost certain that the Microsoft Exchange compromise was initiated and exploited by a Chinese state-backed threat actor,” namely Hafnium, and that the “attack was highly likely to enable large-scale espionage, including acquiring personally identifiable information and intellectual property.”

According to the Associated Press, “a Chinese Foreign Ministry spokesperson has previously deflected blame for the Microsoft Exchange hack, saying that China ‘firmly opposes and combats cyber attacks and cyber theft in all forms’ and cautioned that attribution of cyberattacks should be based on evidence and not ‘groundless accusations.'”

Indictment

The Justice Department said the 2011-2018 hacking campaign “targeted victims in the United States, Austria, Cambodia, Canada, Germany, Indonesia, Malaysia, Norway, Saudi Arabia, South Africa, Switzerland, and the United Kingdom” and stole trade secrets, medical research, and other sensitive information:

Targeted industries included, among others, aviation, defense, education, government, health care, biopharmaceutical and maritime. Stolen trade secrets and confidential business information included, among other things, sensitive technologies used for submersibles and autonomous vehicles, specialty chemical formulas, commercial aircraft servicing, proprietary genetic-sequencing technology and data, and foreign information to support China’s efforts to secure contracts for state-owned enterprises within the targeted country (e.g., large-scale high-speed railway development projects). At research institutes and universities, the conspiracy targeted infectious-disease research related to Ebola, MERS, HIV/AIDS, Marburg, and tularemia.

The four Chinese nationals were indicted by a federal grand jury in San Diego in May. The indictment was unsealed Friday and “alleges that much of the conspiracy’s theft was focused on information that was of significant economic benefit to China’s companies and commercial sectors, including information that would allow the circumvention of lengthy and resource-intensive research and development processes,” the Justice Department said.

“These criminal charges once again highlight that China continues to use cyber-enabled attacks to steal what other countries make, in flagrant disregard of its bilateral and multilateral commitments,” Deputy Attorney General Lisa Monaco said.

Three of the four indicted people—Ding Xiaoyang, Cheng Qingmin, and Zhu Yunmin—were officers in the Hainan State Security Department (HSSD), an arm of China’s MSS, the Justice Department said. They “sought to obfuscate the Chinese government’s role” in the hacks “by establishing a front company, Hainan Xiandun Technology Development Co., Ltd.,” the department said. The fourth indicted person was Wu Shurong, “a computer hacker who, as part of his job duties at Hainan Xiandun, created malware, hacked into computer systems operated by foreign governments, companies and universities, and supervised other Hainan Xiandun hackers,” the Justice Department said.

US advisory on state-sponsored hackers

The US government today also issued an advisory on the tactics, techniques, and procedures used by Chinese state-sponsored attackers.

“The FBI and our partners are determined to disrupt the increasingly sophisticated Chinese state-sponsored cyber activity that targets US political, economic, military, education, and counterintelligence personnel and organizations,” FBI Cyber Division Assistant Director Bryan Vorndran said.