U.S. and global allies blame China for widespread cybercrime, including massive Microsoft Exchange hack
In a move that could have serious repercussions for the already strained U.S.-China relationship, U.S. cyber officials are blaming hackers tied to the Chinese government for one of the largest cyberattacks in U.S. history.
According to a senior administration official, the FBI and NSA have "high confidence" that hackers contracted by China's Ministry of State Security carried out the cyberattack on the Microsoft Exchange email server this spring, a breach that exposed tens of thousands of private and public U.S. entities. Victims worldwide included schools, hospitals, cities and pharmacies.
White House officials say the attack was just one example of "malicious cyber activities" spearheaded by Chinese hackers, including the use of "ransomware" to threaten businesses and extort millions of dollars.
In a call Sunday outlining the findings of the Biden administration, the senior official said China's Ministry of State Security "uses criminal contract hackers to conduct unsanctioned cyber operations globally, including for their own personal profit." The official revealed that Chinese government-affiliated hackers were also responsible for a recent ransomware attack on an unnamed American company.
The U.S., joined by major global allies Australia, Canada, Japan, the United Kingdom, New Zealand and the European Union, on Monday formally called out the Chinese government for the behavior. Their intention is to signal to China that its cyber activities will prompt countries around the world to unite to protect their networks.
Although the White House is not expected to announce any new punitive measures, the official said the administration is "not ruling out further actions" to hold China accountable.
The announcement comes at a time when most public scrutiny has been aimed at Russian cyberhackers, including the ones who carried out recent ransomware attacks on U.S. companies such as the Colonial Pipeline operator and JBS.
There are notable differences between the Chinese and Russian cyberattacks, however. A senior administration official says there are close ties between contract hackers and the Chinese government: Essentially, the hackers are on the government's payroll and operating at the behest of the government. Russian hackers, on the other hand, have a more tenuous connection to official Russian intelligence agencies. The official also said the scale of the Chinese attacks, like the Microsoft Exchange hack, was "very eye-opening to us."
The scope of that attack, which took place in early March, stunned even seasoned cyber experts. "This is a crazy huge hack," Christopher Krebs, former director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), said of the attack in a tweet. David Kennedy, CEO of cybersecurity firm TrustedSec, called it "literally the largest hack I've seen in my fifteen years" and noted that "there was zero rhyme or reason" to who was targeted. "It was literally 'hack everybody you can in this short time window and cause as much pandemonium and mayhem as possible.'"
Microsoft blamed "a state-sponsored threat actor … that we are calling Hafnium" and explained in a blog post that "Hafnium operates from China, and this is the first time we're discussing its activity. It is a highly skilled and sophisticated actor."
But Chinese officials denied responsibility, with Foreign Ministry spokesperson Wang Wenbin insisting China "firmly opposes and combats cyber-attacks and cyber theft in all forms."
During his second term, President Obama and Chinese President Xi Jinping agreed that neither country would "knowingly support cyber-enabled theft of intellectual property." But according to a memo released by the White House, Beijing-linked hackers are still "aggressively" targeting U.S. and allied defense and semiconductor firms, plus medical institutions and universities to steal data, including personally identifiable information amid the COVID-19 pandemic.
The memo also describes how Chinese hackers routinely rotate their use of virtual private servers, utilizing "small office and home office routers" to fly under the radar.