US warns China about state-sponsored hacking, citing massive attacks on Exchange

The flags of the United States and China fluttering from flagpoles on a windy day.

Getty Images | cbarnesphotography

The US government blamed the Chinese government on Monday for the attacks on thousands of Microsoft Exchange servers.

China’s Ministry of State Security (MSS) “has fostered an ecosystem of criminal hackers who carry out state-sponsored activities and cybercrime for their own financial gain,” said US Secretary of State Antony Blinken. , it’s a statement. statement which blamed the MSS for the Microsoft Exchange hacks. The United States government and its allies “formally confirmed that cyber actors affiliated with the MSS exploited vulnerabilities in Microsoft Exchange Server in a massive cyber espionage operation that indiscriminately compromised thousands of computers and networks, mostly belonging to private sector victims.” Blinken said.

Blinken’s statement was published along with a Announcement from the Department of Justice that three MSS officers and another Chinese national were indicted by a federal grand jury on charges relating to a different series of hacking into the “computer systems of dozens of victimized companies, universities, and government entities in the United States and abroad between 2011 and 2018. “Blinken said that the United States” and countries around the world are holding the People’s Republic of China (PRC) responsible for its pattern of irresponsible, disruptive and destabilizing behavior in cyberspace, which represents a great threat to our security economic and national “.

The United States did not announce any new sanctions against China, but Blinken said the indictment is evidence that “the United States will impose consequences on malicious cyber actors in the People’s Republic of China for their irresponsible behavior in cyberspace.”

Zero day trading

Microsoft Exchange attacks have been public knowledge for more than four months. “Tens of thousands of US-based organizations are running Microsoft Exchange servers that have been blocked by threat actors who are stealing administrator passwords and exploiting critical vulnerabilities in the email and calendar application,” we wrote on 6 May. March.

At the time, Microsoft wrote that it “detected multiple day 0 exploits that are used to attack local versions of Microsoft Exchange Server in limited and targeted attacks” and that “it attributes this campaign with great confidence to Hafnium, a group that is considered to be state sponsored and that operates outside of China, based on observed victimology, tactics and procedures. ” Microsoft issued emergency patches for four zero-day vulnerabilities in Exchange Server that were being exploited by hackers.

The attacks were unusual in that six groups of hackers exploited vulnerabilities before Microsoft issued a patch. Compromised Exchange servers were also affected by various types of ransomware.

Today, Blinken said, “Responsible states do not indiscriminately compromise global network security or intentionally harbor cybercriminals, much less sponsor or collaborate with them. These hired hackers cost governments and businesses billions of dollars. dollars in stolen intellectual property, ransom payments and cybersecurity mitigation efforts, all while MSS had them on its payroll. “

The EU and the UK condemn the attacks

The European Union issued a statement It said today that the attacks “were carried out from the territory of China for the purpose of theft of intellectual property and espionage,” but did not say that the attackers were sponsored by the state.

“We continue to urge the Chinese authorities to adhere to these regulations and not allow their territory to be used for malicious cyber activities, and to take all appropriate measures and reasonably available and feasible steps to detect, investigate and address the situation,” the EU said. .

The United Kingdom statement said today, “The UK joins like-minded partners in confirming that Chinese state-backed actors were responsible for gaining access to computer networks around the world via Microsoft Exchange servers.” Later in the statement, the UK said its National Cyber ​​Security Center “is almost certain that the Microsoft Exchange compromise was initiated and exploited by a Chinese state-backed threat actor,” namely Hafnium, and that the attack was very likely to allow large-scale espionage, including the acquisition of personally identifiable information and intellectual property. “

According to Associated Press, “A spokesman for the Chinese Foreign Ministry deflected blame for the Microsoft Exchange hack, saying that China ‘firmly opposes and fights cyberattacks and cyber theft in all its forms’ and cautioned that the attribution of the attacks Cyber ​​should be based on evidence and not on ‘unfounded accusations’.’ ”


The Justice Department said the 2011-2018 hacking campaign “targeted victims in the United States, Austria, Cambodia, Canada, Germany, Indonesia, Malaysia, Norway, Saudi Arabia, South Africa, Switzerland and the United Kingdom” and stole trade secrets. medical research and other confidential information:

Target industries included, but were not limited to, aviation, defense, education, government, healthcare, biopharmaceutical, and maritime. The stolen trade secrets and confidential business information included, among other things, sensitive technologies used for submersibles and autonomous vehicles, special chemical formulas, commercial aircraft service, proprietary genetic sequencing technology and data, and foreign information to support China’s efforts to secure contracts for the state. companies owned within the target country (eg large-scale high-speed rail development projects). At research institutes and universities, the conspiracy focused on investigating infectious diseases related to Ebola, MERS, HIV / AIDS, Marburg, and tularemia.

The four Chinese nationals were indicted by a federal grand jury in San Diego in May. The indictment was released on Friday and “alleges that much of the conspiracy theft focused on information that was of significant economic benefit to China’s businesses and business sectors, including information that would circumvent lengthy research and development processes. and they require a lot of resources. ” the Justice Department said.

“These criminal charges once again highlight that China continues to use cyberattacks to steal what other countries do, in blatant disregard of its bilateral and multilateral commitments,” said Deputy Attorney General Lisa Monaco.

Three of the four people charged, Ding Xiaoyang, Cheng Qingmin and Zhu Yunmin, were officials from the Hainan State Security Department (HSSD), an arm of China’s MSS, the Justice Department said. They “sought to obscure the role of the Chinese government” in the attacks “by establishing a front company, Hainan Xiandun Technology Development Co., Ltd.,” the department said. The fourth person charged was Wu Shurong, “a hacker who, as part of his job duties at Hainan Xiandun, created malware, hacked computer systems operated by foreign governments, companies and universities, and supervised other Hainan Xiandun hackers.” the Department judge said.

US Notice on State Sponsored Hackers

The United States government also issued a advisory on the tactics, techniques and procedures used by the Chinese state sponsored attackers.

“The FBI and our partners are determined to disrupt the increasingly sophisticated Chinese state-sponsored cyber activity targeting US political, economic, military, educational, and counterintelligence personnel and organizations,” said the Deputy Director of the FBI Cyber ​​Division Bryan Vorndran saying.

Leave a Reply

Your email address will not be published.