Microsoft Exchange Server Hack

The U.S. and its allies on Monday formally accused China of carrying out a major cyber-attack on Microsoft Exchange servers in March this year, which had affected at least 30,000 organizations globally.

The U.S. was joined by NATO, the European Union, the United Kingdom, Australia, Japan, New Zealand, and Canada in condemning the spying, which U.S. Secretary of State Antony Blinken said posed “a major threat to our economic and national security.”

The People’s Republic of China (PRC) has been accused of using “criminal contract hackers” for conducting malicious cyber activity for their own personal gain, including activities involving ransomware, cryptojacking, and cyber-enabled extortion.

In a statement released by the White House on Monday, the State Department said “cyber actors”, working with China’s Ministry of State Security (MSS), “exploited vulnerabilities in Microsoft Exchange Server in a massive cyber espionage operation that indiscriminately compromised thousands of computers and networks, mostly belonging to private sector victims”.

Back then, Microsoft had pointed the finger at Hafnium, a “highly skilled and sophisticated” Chinese hacker group.

“Recently, Hafnium has engaged in a number of attacks using previously unknown exploits targeting on-premises Exchange Server software,” Microsoft’s Tom Burt had explained in a March 2021 blog post. “To date, Hafnium is the primary actor we’ve seen use these exploits.”

The U.S. government has now backed Microsoft’s assertion that Hafnium is a “state-sponsored threat actor,” and criticised China’s “irresponsible and destabilizing behavior in cyberspace.”

Although the country may want to be a responsible world leader, its malicious cyber activity “poses a major threat to U.S. and allies’ economic and national security,” it added.

It also echoes Microsoft’s allegations from March, saying “with a high degree of confidence” that China-based hackers were in fact behind the cyber espionage operations who utilized the zero-day vulnerabilities in the Microsoft Exchange Server.

The statement says “tens of thousands of computers and networks worldwide” were compromised “in a massive operation that resulted in significant remediation costs for its mostly private sector victims.”

Although no direct action has been taken against China at this point, the U.S. Department of Justice (DOJ) on Monday announced charges against four Chinese nationals – three security officials and one contract hacker – for targeting foreign governments and entities in key sectors, including maritime, aviation, defense, education, and healthcare in the U.S. and abroad from 2011 to 2018.

They have been charged with conspiracy to commit computer fraud and conspiracy to commit economic espionage.

“The indictment … alleges that much of the conspiracy’s theft was focused on information that was of significant economic benefit to China’s companies and commercial sectors, including information that would allow the circumvention of lengthy and resource-intensive research and development processes,” the DOJ said.

DOJ documents also outline how MSS hackers pursued the theft of Ebola virus vaccine research and demonstrate that PRC’s theft of intellectual property, trade secrets, and confidential business information extends to critical public health information.

Much of the MSS activity alleged in the DOJ’s charges stand in stark contrast to the PRC’s bilateral and multilateral commitments to refrain from engaging in cyber-enabled theft of intellectual property for commercial advantage.

Additionally, the National Security Agency (NSA), the Cybersecurity and Infrastructure Agency (CIA), and the Federal Bureau of Investigation (FBI) on Monday released an advisory listing 50 tactics, techniques, and procedures (TTPs) used by Chinese state-sponsored threat actors in their attacks.

Condemning China’s malicious cyber activities, UK Foreign Secretary Dominic Raab in a press release said, “The cyber attack on Microsoft Exchange Server by Chinese state-backed groups was a reckless but familiar pattern of behaviour. The Chinese Government must end this systematic cyber sabotage and can expect to be held account if it does not.”

In a separate tweet, Jens Stoltenberg, NATO Secretary-General expressed solidarity with those affected by malicious cyber activities and asked China to “act responsibly”.

 

Liu Pengyu, a spokesperson for the Chinese Embassy in Washington, called the accusations against China “irresponsible.”

“The Chinese government and relevant personnel never engage in cyber attacks or cyber theft,” Liu said in a statement.