US, allies blame China-linked hackers for Microsoft Exchange breach

WASHINGTON (thehill): The United States and several allied countries on Monday are publicly blaming hackers affiliated with the Chinese government for the Microsoft Exchange Server hack that left tens of thousands of organizations vulnerable to compromise earlier this year.

The move to publicly identify the hackers as linked to China is part of a broader effort by the U.S. and its allies to publicly call out Beijing’s government for malicious behavior in cyberspace.

The U.S, European Union, United Kingdom, Australia, Canada, New Zealand, Japan and NATO will all criticize China’s Ministry of State Security (MSS) for using “criminal contract hackers” to conduct cyber-enabled extortion, “crypto-jacking” and other schemes, a senior Biden administration official said.

The U.S. government has with “high confidence” formally attributed the exploitation of vulnerabilities in Microsoft’s Exchange Server application to malicious cyber actors affiliated with China’s MSS.

Microsoft had previously said it believed a hacking group known as “HAFNIUM,” a Chinese-state sponsored hacking group, was exploiting the vulnerabilities in the program. U.S. officials had said they were working to attribute the hack, which was first detected in March. Hackers used zero-day exploits to attack versions of Microsoft’s Exchange Server application and hack into victims’ email accounts.

“The PRC’s pattern of irresponsible behavior in cyberspace is inconsistent with its stated objective of being seen as a responsible leader in the world,” the senior official told reporters during a call Sunday evening, referring to China by its official name. “Countries around the world are making it clear that concerns regarding the PRC’s malicious cyber activity is bringing them together to call out this activity, promote network defense and cybersecurity, and act to disrupt threats to our economies and national security.”

The Biden administration official indicated that the attribution process was longer than others because of the scope of the compromises and the desire to work with allies to formally make the charge.

The official said it was also important to combine the announcement with information on indicators of compromise. The FBI, National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) on Monday are exposing more than 50 tactics, techniques and procedures used by Chinese state-sponsored hackers when targeting networks in the U.S. and other countries and providing recommendations to protect against the tactics.

Beyond calling out the Chinese government for the aggression in cyberspace, the U.S. is not taking specific actions at this stage to punish Beijing, but is leaving the door open to taking action in the future.

“The U.S. and our allies and partners are not ruling out further actions to hold the PRC accountable,” the official said. “We are putting forward a common cyber approach with our allies and laying down clear expectations on how responsible nations behave in cyberspace.”

The U.S. is also aware of reports of MSS-linked hackers conducting ransomware operations against private companies, the official said, without providing any specifics on those attacks.

The developments are likely to exacerbate tensions between the U.S. and China. President Biden has scolded China for its human rights abuses, unfair economic practices and other behavior and has framed his agenda as necessary in order to outcompete Beijing.

Biden has also encouraged other nations to draw a harder line on China, including pressing the Group of Seven (G7) to more forcefully rebuke Beijing over human rights in the Xinjiang region during his first trip abroad last month.

NATO will for the first time condemn the Chinese government’s cyber activities on Monday, the senior Biden official said, after the alliance said that China presents “systemic challenges to the rules-based international order” following its summit last month.