Biden administration blames hackers linked to China for Microsoft cyberattack

The US government has “great confidence” that hackers linked to the Department of State Security, or MSS, carried out the unusually indiscriminate hacking of Microsoft Exchange Server software that emerged in March, senior officials said. responsible.

“The United States and countries around the world hold the People’s Republic of China (PRC) responsible for its irresponsible, disruptive and destabilizing behavior in cyberspace, which poses a major threat to our economic and national security,” said the Secretary of State. said Antony Blinken. The MSS, he added, had “fostered an ecosystem of criminal hackers who carry out both state sponsored activities and cybercrime for their own financial gain.”

The UK and EU have joined in attribution of hacking activity, which has left hundreds of thousands of mostly small businesses and organizations vulnerable to cyber intrusion.

The US-led announcement is the Biden administration’s most significant action to date in China’s campaign of years of cyberattacks against the US government and US businesses, often involving espionage nation-state routine and the theft of valuable intellectual property such as naval technology and the coronavirus. -vaccination data.

The Justice Department released a May grand jury indictment on Monday that accused four Chinese nationals and residents working with the State Security Department of participating in a 2011-2018 hacking campaign aimed at to benefit Chinese companies and business sectors by stealing intellectual property and business information. The indictment did not appear to be directly related to the Microsoft Exchange Server violation, but accused the hackers of stealing information from companies and universities on Ebola research and other topics for the benefit of the government Chinese and Chinese companies.

Attributing the Microsoft hack to China was part of a wider global censorship on Monday of cyberattacks in Beijing by the United States, European Union, United Kingdom, Canada, Australia, New Zealand, Japan and the North Atlantic Treaty Organization, or NATO. Although statements varied, the international cohort generally called on China for engaging in harmful cyber activities, including the theft of intellectual property. Some have accused the MSS of using criminal contractors to conduct unauthorized cyber operations globally, including for their own personal gain.

U.S. authorities have accused China of widespread hacking targeting U.S. businesses and government agencies for years. China has historically denied these claims. A spokesperson for the Chinese Embassy in Washington did not immediately respond to a request for comment.

The Exchange Server hack was disclosed by Microsoft in March with a software patch to correct the bugs exploited in the attack. At the time, Microsoft identified the culprits as a Chinese cyber-espionage group with ties to the state it calls Hafnium, an assessment that has been supported by other cybersecurity researchers. The Biden administration had not proposed an award until now and essentially agrees with the private sector’s findings and provides a more detailed identification.

The attack on Exchange Server systems began slowly and stealthily in early January with hackers who in the past targeted infectious disease researchers, law firms and universities, according to cybersecurity officials and analysts . But the operational tempo appeared to intensify as other hacking groups linked to China became involved, infecting thousands of servers as Microsoft scrambled to send customers a software patch in early March.

Also on Monday, the National Security Agency, the Federal Bureau of Investigation and Cyber ​​Security, and the Infrastructure Security Agency jointly released technical details of more than 50 tactics and techniques favored by hackers linked to the Chinese government, the manager said. The publication of such lists is common when the United States exposes or highlights malicious hacking campaigns and aims to help businesses and critical infrastructure operators better protect their IT systems.

Cyber ​​security experts have been pressuring the Biden administration for months to respond to China’s alleged involvement in the Microsoft email hack. Cybersecurity expert Dmitri Alperovitch, think tank Silverado Policy Accelerator, said the coordinated global condemnation of China is a welcome and expected development.

“The hacking of Microsoft Exchange by MSS contractors is the most reckless cyber operation that we have ever seen from Chinese players – much more dangerous than Russian hacks by SolarWinds,” Alperovitch said, referring to to the massive cyber-espionage campaign detected last December which, along with other alleged activities, led to a series of punitive measures against Moscow.

Mr Alperovich criticized the lack of sanctions imposed on China and said it raised questions about why Beijing appeared to escape tougher sanctions, especially compared to those imposed on Russia.

“Failure to sanction actors affiliated with the PRC has been one of the most prolific and puzzling failures of our Chinese policy which has transcended administrations,” Alperovich said, referring to the People’s Republic. from China. Monday’s public humiliation without further punishment “looks like a double standard compared to actions against Russian actors.” We deal with China with children’s gloves.

The senior administration official said the Biden administration was aware that no action was able to change the Chinese government’s malicious cyber behavior, and that the focus was on bringing countries together in a position unified against Beijing. The list of nations condemning China on Monday was “unprecedented,” the official said, noting that it was the first time that NATO itself has done so specifically.

“We have made it clear that we will continue to take steps to protect the American people from malicious cyber activity, regardless of who is responsible,” the official said. “And we are not ruling out further actions to hold the PRC to account.”

The new indictment says members of a provincial branch of the Chinese intelligence service in southern Hainan province have set up a shell company that describes itself as an information security company and ordered its employees to hack dozens of victims in the United States, Austria, Cambodia and several other countries.

The defendants, three of whom are described as intelligence agents, are not being held by the United States. Some cybersecurity experts have said that indictments against hackers backed by foreign states often have little impact because defendants rarely go to US court. U.S. officials have defended the practice, saying it helps convince Allied governments, the private sector and others of the magnitude of the problem.

The group is accused of hacking dozens of schools, businesses and government agencies around the world, ranging from a research center in California and Florida focused on virus treatments and vaccines, at a Swiss chemical company that produces maritime paints, at a university in Pennsylvania. with a robotic engineering program and the National Institutes of Health, at two Saudi government ministries. The companies and universities are not named in the indictment.

The hackers allegedly used fake phishing emails and stored stolen data on GitHub, according to the indictment. They coordinated with professors at a Chinese university, including identifying and recruiting hackers for their campaign, he said. The alleged NIH violation dates back to August 2013, according to the indictment.

Write to Dustin Volz at [email protected] and Aruna Viswanatha at [email protected]