Biden Administration Blames Hackers Tied To China For Microsoft CyberAttack Spree
Four Chinese nationals were indicted over separate hacking activity; dozens of nations condemn Beijing’s state-sponsored hacking. Biden Administration Blames Hackers Tied To China For Microsoft Cyberattack Spree
The Biden administration publicly blamed hackers affiliated with China’s main intelligence service for a far-reaching cyberattack on Microsoft Corp. email software this year, part of a global effort by dozens of nations to condemn Beijing’s malicious cyber activities.
The U.S. government has high confidence that hackers tied to the Ministry of State Security, or MSS, carried out the unusually indiscriminate hack of Microsoft Exchange Server software that emerged in March, senior officials said.
In addition, four Chinese nationals were indicted over a range of separate hacking intrusions dating back a decade that allegedly stole corporate and research secrets from firms and universities around the world. Three of the nationals were described as MSS officers, while a fourth was said to be employed at a Chinese front company that aided the hacking.
“The United States and countries around the world are holding the People’s Republic of China (PRC) accountable for its pattern of irresponsible, disruptive, and destabilizing behavior in cyberspace, which poses a major threat to our economic and national security,” Secretary of State Antony Blinken said Monday. The MSS, he added, had “fostered an ecosystem of criminal contract hackers who carry out both state-sponsored activities and cybercrime for their own financial gain.”
The U.K. and European Union, among others, joined in the attribution of the Microsoft Exchange Server hacking activity, which rendered an estimated hundreds of thousands of mostly small businesses and organizations vulnerable to cyber intrusion. Attributing the Microsoft hack to China was part of a broader global censure Monday of Beijing’s cyberattacks by the U.S., the EU, the U.K., Canada, Australia, New Zealand, Japan and the North Atlantic Treaty Organization, or NATO, a 30-nation alliance.
Biden administration officials called the collective condemnation the largest international effort yet to criticize Beijing’s state-sponsored hacking. While statements varied, the international cohort generally called out China for engaging in harmful cyber activity, including intellectual property theft.
The public shaming, however, didn’t include punitive measures, such as sanctions or diplomatic expulsions by the U.S. That stands in contrast with how the administration recently punished Russia for a range of alleged malicious cyber activity, and the discrepancy drew criticism from some cybersecurity specialists.
The lack of further punishment “looks like a double standard compared with actions against Russian actors. We treat China with kid gloves,” said Dmitri Alperovitch, chairman of Silverado Policy Accelerator, a Washington-based think tank that works to modernize U.S. cybersecurity strategy.
A senior official that said the administration is aware that no single action is capable of changing the Chinese government’s malicious cyber behavior, and that the focus was on bringing countries together in a unified stance against Beijing. The official said that hackers linked to the MSS were using criminal contractors to conduct “unsanctioned” cyber operations globally.
Asked by reporters what he believes the difference is between hacking originating in China and Russia, President Biden said, “My understanding is that the Chinese government, not unlike the Russian government, is not doing this themselves, but are protecting those who are doing it, and maybe even accommodating them being able to do it.”
The U.S.-led announcement is the most significant action from the Biden administration to date concerning China’s yearslong campaign of cyberattacks against the U.S. government and American companies, often involving routine nation-state espionage and the theft of valuable intellectual property such as naval technology and coronavirus-vaccine data.
The indictment the Justice Department made public Monday alleges that the Chinese government has done little to uphold a 2015 accord between China and the Obama Administration not to direct or support cyberattacks that steal corporate records for economic benefit. The Trump administration had also said Beijing repeatedly violated the accord. The indictment, which dates from May, accuses a regional branch of the MSS of relying on a front company, whose payroll was coordinated through a local university, to continue such attacks after the pact was signed.
The indictment charges the four men with orchestrating a hacking campaign from 2011 to 2018 intended to benefit China’s companies and commercial sectors by stealing intellectual property and business information. The indictment didn’t appear directly related to the Microsoft Exchange Server breach, but accused the hackers of stealing information from dozens of companies and universities around the world about Ebola virus research, maritime research and other topics.
U.S. authorities have accused China of widespread hacking targeting American businesses and government agencies for years. China has historically denied the allegations. A spokesman for the Chinese Embassy in Washington didn’t immediately respond to a request for comment.
The Exchange Server hack was disclosed by Microsoft in March alongside a software patch to fix the bugs being exploited in the attack.
Microsoft at the time identified the culprits as a Chinese cyber-espionage group with state ties that it refers to as Hafnium, an assessment that was supported by other cybersecurity researchers. The Biden administration hadn’t offered attribution until now, and it is essentially agreeing with the conclusions of the private sector and providing a more detailed identification.
The attack on the Exchange Server systems began slowly and stealthily in early January by hackers who in the past had targeted infectious-disease researchers, law firms and universities, according to cybersecurity officials and analysts. But the operational tempo appeared to intensify as other China-linked hacking groups became involved, infecting thousands of servers as Microsoft worked to send its customers a software patch in early March.
Microsoft praised Monday’s global action. “Attributions like these will help the international community ensure those behind indiscriminate attacks are held accountable,” said Tom Burt, Microsoft’s vice president of customer security and trust.
Also on Monday, the National Security Agency, Federal Bureau of Investigation and Cybersecurity and Infrastructure Security Agency jointly published technical details of more than 50 tactics and techniques favored by hackers linked to the Chinese government. The release of such lists is common when the U.S. exposes or highlights malicious hacking campaigns and is intended to help businesses and critical infrastructure operators better protect their computer systems.
‘Failure to sanction any PRC-affiliated actors has been one of the most prolific and baffling failures of our China policy that has transcended administrations.’
— Dmitri Alperovitch, Silverado Policy Accelerator
Cybersecurity experts have been pressing the Biden administration for months to respond to China’s alleged involvement in the Microsoft email hack.
“The Microsoft Exchange hacks by MSS contractors is the most reckless cyber operation we have yet seen from the Chinese actors—much more dangerous than the Russian SolarWinds hacks,” said Silverado’s Mr. Alperovitch, referring to the widespread cyber-espionage campaign detected last December that, along with other alleged activities, prompted a suite of punitive measures against Moscow.
Many analysts said the Biden administration broke with years of U.S. foreign policy that tolerated cyber espionage as an acceptable form of 21st century spycraft when it punished Russia earlier this year for SolarWinds.
Kellen Dwyer, a former career prosecutor who served last year as deputy assistant attorney general in the Justice Department’s national security division, said the SolarWinds attack “was an espionage attack, and one that was relatively cautious about imposing collateral damage.”
Meanwhile, said Mr. Dwyer, the Chinese actors who allegedly engaged in the Microsoft Exchange hack grabbed vast swaths of data and “indiscriminately scanned the entire internet to find unpatched vulnerabilities.” He said: “That certainly should be a norm that we are willing to define and meet with sanctions.”
The Chinese defendants charged in the new indictment aren’t in U.S. custody. Some cybersecurity experts have said indictments against foreign state-backed hackers often have little impact, because the accused are rarely brought before an American courtroom. U.S. officials have defended the practice, saying it helps convince allied governments, the private sector and others about the scope of the problem.
The hackers are accused of breaching dozens of schools, companies, and government agencies around the world, ranging from a research facility in California and Florida focused on virus treatments and vaccines, to a Swiss chemicals company that produces maritime paints, to a Pennsylvania university with a robotics engineering program and the National Institutes of Health, to two Saudi Arabian government ministries. The companies and universities aren’t named in the indictment.
The hackers allegedly used fake spear-phishing emails and stored stolen data on GitHub, concealing the files in photos of a koala and Donald Trump, the indictment said. They coordinated with professors at a Chinese university, including to identify and recruit hackers for their campaign, and used the address of the university library as the front company’s location, it said.
Biden Team Has No Immediate Plan To Sanction China Over Hacks
The Biden administration has no immediate plans to levy economic sanctions on Chinese officials in response to the Microsoft Exchange hack that the U.S. blames on Beijing, according to people familiar with the matter.
Some in the administration cite concern that sanctions wouldn’t be as effective as other approaches in deterring future cyber attacks by China, according to two people who spoke on condition of anonymity to describe internal deliberations. But the U.S. hasn’t ruled out the possibility of sanctions in the future, they said.
For now, the U.S. sees the most effective response to China as joining with other countries to publicly expose and criticize the scale of Beijing’s cyber activities. The U.S., U.K., North Atlantic Treaty Organization and other allies on Monday formally attributed the Microsoft Exchange hack to actors affiliated with the Chinese government.
The White House communications staff declined to comment.
An effective sanctions strategy would be for a global coalition to impose economic and financial restrictions, the people said. But there are no current plans for coordinated action on sanctions, one person familiar with the deliberations said.
The attack against Microsoft Corp.’s Exchange email servers took place over the course of two weeks between late February and early March.
The group of nations that criticized China, which includes Australia, Canada, New Zealand and Japan, accused Beijing’s leadership of a broad array of “malicious cyber activities,” saying the Chinese government has been behind a series of data theft and cyber espionage attacks against public and private entities. They specifically cited the sprawling Microsoft Exchange hack earlier this year.
If the Biden administration were to act unilaterally on sanctions, officials say that any Chinese officials the U.S. could target aren’t likely to have assets in dollars or plans to visit the U.S., diminishing the impact, people familiar with the matter said.
President Joe Biden’s team is concerned that sanctions issued merely as punishment, rather than to change the behavior of adversaries, could undermine the effectiveness of sanctions in the future. That leaves public criticism as the administration’s primary first response to the Exchange hack.
China has rejected accusations by the U.S. and allies that actors linked to its government were behind the Exchange hack and other such attacks.
“The U.S. ganged up with its allies and launched an unwarranted accusation against China on cybersecurity,” Chinese Foreign Ministry spokesman Zhao Lijian said earlier this week. “It is purely a smear and suppression out of political motives. China will never accept this.”
The U.S. and China have increasingly been at odds over a range of issues, including economic and military matters. Those tensions were also on display last week when the administration warned investors about the risks of doing business in Hong Kong with an advisory saying China’s push to exert more control over the financial hub threatens the rule of law and endangers employees and data.
China imposed retaliatory sanctions against the U.S. over the Hong Kong business warning, the Ministry of Foreign Affairs said late Friday. The country imposed sanctions against seven individuals, including former President Donald Trump’s commerce secretary, Wilbur Ross.
White House Press Secretary Jen Psaki criticized China for imposing sanctions. “We’re undeterred by these actions, we remain fully committed to implementing all relevant U.S. sanctions authorities,” Psaki told reporters.
Biden Administration Blames Hackers,Biden Administration Blames Hackers,Biden Administration Blames Hackers,Biden Administration Blames Hackers,Biden Administration Blames Hackers,Biden Administration Blames Hackers,Biden Administration Blames Hackers,Biden Administration Blames Hackers,