The US government on Monday accused the Chinese government of attacking thousands of Microsoft Exchange servers.
The Chinese Ministry of State Security (MSS) “has fostered an ecosystem of criminal hackers who carry out both state-sponsored activities and cybercrime for their own financial gain,” the secretary of state said. American Antony Blinken in a statement. declaration who blamed the MSS for the Microsoft Exchange hacks. The US government and its allies “have officially confirmed that MSS-affiliated cyber actors exploited vulnerabilities in Microsoft Exchange Server in a massive cyber espionage operation that indiscriminately compromised thousands of computers and networks, mostly owned by victims of the private sector, ”Blinken said.
Blinken’s statement was released along with a Announcement from the Ministry of Justice that three MSS agents and another Chinese national have been indicted by a federal grand jury on charges relating to another round of hacks into the “computer systems of dozens of victimized businesses, universities and government entities in the states United and overseas between 2011 and 2018. “Blinken said that the United States” and countries around the world hold the People’s Republic of China (PRC) responsible for its irresponsible, disruptive and destabilizing behavior in cyberspace, which constitutes a major threat to our economic and national security ”.
The United States has not announced any new sanctions against China, but Blinken said the indictment is proof that “the United States will impose consequences on malicious cyber actors in the PRC for their irresponsible behavior. in cyberspace ”.
The Microsoft Exchange attacks have been common knowledge for over four months. “Tens of thousands of US-based organizations are using Microsoft Exchange servers that have been hijacked by malicious actors who steal administrator passwords and exploit critical vulnerabilities in the mail and calendar application.” , we written on March 6.
At the time, Microsoft wrote that it “detected several 0-day exploits used to attack on-premises versions of Microsoft Exchange Server as part of limited and targeted attacks” and that it “attributes this campaign with great confidence to Hafnium, an evaluated group as state sponsored and operating outside of China, based on observed victimology, tactics and procedures. ” Microsoft issued emergency fixes for four zero-day vulnerabilities in Exchange Server that were exploited by hackers.
The attacks were unusual because six hacking groups exploited the vulnerabilities before Microsoft released a patch. Compromised Exchange servers have also been affected by Several types of ransomware.
Today, Blinken said, “Responsible states do not blindly compromise the security of global networks or knowingly host cybercriminals, much less sponsor or collaborate with them. These hackers are costing governments and businesses billions of dollars in stolen intellectual property, ransom payments and cybersecurity mitigation efforts, while the MSS had them on its payroll. “
EU and UK condemn attacks
The European Union has published a declaration claiming today that the attacks were “carried out from within Chinese territory for the purpose of intellectual property theft and espionage,” but did not say the attackers were state sponsored.
“We continue to urge the Chinese authorities to adhere to these standards and not to allow the use of their territory for malicious cyber activity, and to take all appropriate and reasonably available and feasible measures to detect, investigate and resolve the situation, ”the EU said. .
The United Kingdom declaration said today: “The UK joins like-minded partners in confirming that Chinese state-backed actors were responsible for accessing computer networks around the world through Microsoft Exchange servers. Later in the statement, the UK said its National Cyber Security Center “is almost certain that the Microsoft Exchange compromise was initiated and exploited by a Chinese state-backed threat actor,” namely Hafnium, and that “the attack was very likely to allow for large-scale espionage, including the acquisition of personally identifiable information and intellectual property.”
According to the Associated Press, “a spokesperson for the Chinese Foreign Ministry previously deflected responsibility for the Microsoft Exchange hack, saying China ‘strongly opposes and fights cyber attacks and cyber theft in all its forms’ and warned that the Attribution of cyber attacks should be based on evidence and not on ‘baseless accusations.’ ”
The Justice Department said the 2011-2018 hacking campaign “targeted victims in the United States, Austria, Cambodia, Canada, Germany, Indonesia, Malaysia, Norway, Saudi Arabia, in South Africa, Switzerland and the UK ”and stole trade secrets, medical research and other sensitive information:
Industries targeted included, among others, aviation, defense, education, government, healthcare, biopharmaceuticals and maritime. Stolen trade secrets and confidential business information included, among others, sensitive technologies used for submersibles and autonomous vehicles, specialized chemical formulas, commercial aircraft maintenance, proprietary gene sequencing technology and data and information. to support China’s efforts to secure contracts for state-owned enterprises in the target country (for example, large-scale high-speed rail development projects). At research institutes and universities, the plot targeted research into infectious diseases linked to Ebola, MERS, HIV / AIDS, Marburg and tularemia.
The four Chinese nationals were indicted by a federal grand jury in San Diego in May. The indictment was unsealed on Friday and “alleges that much of the plot theft focused on information that presented significant economic benefit to Chinese companies and business sectors, including information that would circumvent long and resource-intensive research and development processes “. said the Department of Justice.
“These criminal charges underscore once again that China continues to use cyber attacks to steal what other countries are doing, in blatant disregard of its bilateral and multilateral commitments,” Deputy Attorney General Lisa Monaco said.
Three of the four indicted – Ding Xiaoyang, Cheng Qingmin and Zhu Yunmin – were officers from the Hainan State Security Department (HSSD), a branch of the Chinese MSS, the justice ministry said. They “sought to disguise the role of the Chinese government” in the hacks “by setting up a shell company, Hainan Xiandun Technology Development Co., Ltd.,” the department said. The fourth person charged was Wu Shurong, “a hacker who, as part of his duties in Hainan Xiandun, created malware, hacked computer systems operated by foreign governments, companies and universities, and supervised d ‘other pirates of Hainan Xiandun,’ the Ministry said.
US Notice on State Sponsored Hackers
The U.S. government also released today a advisory on the tactics, techniques and procedures used by Chinese state-sponsored attackers.
“The FBI and our partners are committed to disrupting the increasingly sophisticated Chinese state-sponsored cyber activity that targets United States political, economic, military, educational and counter-intelligence personnel and organizations,” said Bryan Vorndran, Deputy Director of the Cyber Division of the FBI. mentionned.