US, allies blame China-linked hackers for Microsoft Exchange breach

The United States and several allied countries on Monday publicly blamed hackers affiliated with the Chinese government for the Microsoft Exchange Server hack that left tens of thousands of organizations vulnerable to compromise earlier this year.

The move to publicly identify the hackers as linked to China is part of a broader effort by the U.S. and its allies to publicly call out Beijing’s government for malicious behavior in cyberspace.

The U.S., European Union, United Kingdom, Australia, Canada, New Zealand, Japan and NATO on Monday criticized China’s Ministry of State Security (MSS) for using criminal contract hackers to conduct cyber-enabled extortion, “crypto-jacking” and other schemes.

The U.S. government has with “high confidence” formally attributed the exploitation of vulnerabilities in Microsoft’s Exchange Server application to malicious cyber actors affiliated with China’s MSS. Other nations also attributed the cyberattack to Chinese government-linked hackers.

Microsoft had previously said it believed a hacking group known as “HAFNIUM,” a Chinese-state sponsored hacking group, was exploiting the vulnerabilities in the program. U.S. officials had said they were working to attribute the hack, which was first detected in March. Hackers used zero-day exploits to attack versions of Microsoft’s Exchange Server application and hack into victims’ email accounts.

“The PRC’s pattern of irresponsible behavior in cyberspace is inconsistent with its stated objective of being seen as a responsible leader in the world,” the senior official told reporters during a call Sunday evening, referring to China by its official name. “Countries around the world are making it clear that concerns regarding the PRC’s malicious cyber activity is bringing them together to call out this activity, promote network defense and cybersecurity, and act to disrupt threats to our economies and national security.”

The Biden administration official indicated that the attribution process was longer than others because of the scope of the compromises and the desire to work with allies to formally make the charge.

The official said it was also important to combine the announcement with information on indicators of compromise. The FBI, National Security Agency and Cybersecurity and Infrastructure Security Agency on Monday are exposing more than 50 tactics, techniques and procedures used by Chinese state-sponsored hackers when targeting networks in the U.S. and other countries and providing recommendations to protect against the tactics.

Beyond calling out the Chinese government for the aggression in cyberspace, the U.S. is not expected to take significant actions at this stage to punish Beijing, but is leaving the door open to taking action in the future.

“The U.S. and our allies and partners are not ruling out further actions to hold the PRC accountable,” the official said. “We are putting forward a common cyber approach with our allies and laying down clear expectations on how responsible nations behave in cyberspace.”

The Justice Department on Monday morning announced charges against four Chinese nationals working with China’s MSS for participating in a global computer hacking campaign, including three officers of a provincial arm of the MSS. However, the defendants are likely currently out of reach in China, meaning they will not face prosecution unless U.S. officials are able to extradite them.  

The U.S. is also aware of reports of MSS-linked hackers conducting ransomware operations against private companies, the official said, without providing any specifics on those attacks.

The developments are likely to exacerbate tensions between the U.S. and China. President Biden has scolded China for its human rights abuses, unfair economic practices and other behavior and has framed his agenda as necessary in order to outcompete Beijing.

Biden has also encouraged other nations to draw a harder line on China, including pressing the Group of Seven to more forcefully rebuke Beijing over human rights in the Xinjiang region during his first trip abroad last month.

NATO is for the first time condemn the Chinese government’s cyber activities on Monday, the senior Biden official said, after the alliance said that China presents “systemic challenges to the rules-based international order” following its summit last month.

“In line with our recent Brussels Summit Communiqué, we call on all States, including China, to uphold their international commitments and obligations and to act responsibly in the international system, including in cyberspace,” NATO said in the statement on Monday. “We also reiterate our willingness to maintain a constructive dialogue with China based on our interests, on areas of relevance to the Alliance such as cyber threats, and on common challenges.”

Updated at 9:34 a.m.