Cyberwarfare / Nation-State Attacks
Fraud Management & Cybercrime
Next-Generation Technologies & Secure Development
China’s Ministry of State Security Also Accused of Carrying Out Ransomware Attacks
(Watch for updates on this developing story as well as follow-up stories.)
The Biden administration on Monday formally accused a group working for China’s Ministry of State Security of carrying out a series of attacks against vulnerable Microsoft Exchange email servers earlier this year that affected thousands of organizations in the U.S. as well as around the world.
On March 4, Microsoft issued emergency patches for four vulnerabilities in certain versions of its on-premises Exchange email server that the company says were exploited by a China-based group its researchers called Hafnium.
Now, the White House says that this attack group worked for China’s Ministry of State Security, or MSS, which oversees foreign intelligence and counter-intelligence operations for the country’s government. The administration says it has “a high degree of confidence” that attackers associated with MSS conducted the global Exchange campaign.
To bolster the case against China, the National Security Agency, the FBI and the Cybersecurity and Infrastructure Agency released a document describing the tools, techniques and procedures that MSS-affiliated groups have used over the last several years, including a list of vulnerabilities that attackers have exploited.
In recent years, the U.S. has accused MSS and threat groups affiliated or working for the Chinese agency of conducting numerous cyber operations against American organizations and other targets (see: CISA: Chinese Hackers Targeting US Agencies).
“Before Microsoft released its security updates, MSS-affiliated cyber operators exploited these vulnerabilities to compromise tens of thousands of computers and networks worldwide in a massive operation that resulted in significant remediation costs for its mostly private sector victims,” according to the White House.
Besides the attacks against on-premises Exchange servers, the White House accused MSS-affiliated groups of carrying out numerous other cyber operations, including ransomware attacks that resulted in millions of dollars in ransoms paid to the attackers.
A senior administration official, who spoke on the condition of anonymity, says that ransomware attacks conducted by MSS-affiliated groups were a surprise to the White House and shows that China is becoming much more aggressive when it comes to carrying out various cyber operations.
“I can’t speak to further details of the ransomware attacks, but it literally was what we think about with ransomware: a ransom request – a large ransom request made to an American company,” the senior administration official says. “And it really raised concerns for us with regard to the behavior and, frankly, as I noted, with regard to the fact that … individuals affiliated with the MSS conducted it.”
While the Biden administration formally accused China’s of sanctioning the Exchange attacks, the Justice Department unsealed an indictment accusing four Chinese nationals of conducting a variety of cyber operations against U.S. and other organizations around the world. None of the four individuals listed in the indictment, however, are accused of conducting the Exchange attacks.
No Sanctions Yet
While the White House and other U.S. government agencies accused China’s MSS of conducting the Exchange attacks, the Biden administration has not issued formal sanctions or other punishments against the Chinese government.
In April, when the Biden administration formally accused Russia’s Foreign Intelligence Service – SVR – of carrying out the attack that targeted SolarWinds, the Treasury Department issued sanctions against the Russian government and more than 30 companies and individuals accused of supplying tools, infrastructure and technologies for various cyber operations or participating in the election-related disinformation campaign (see: US Sanctions Russia Over SolarWinds Attack, Election Meddling).
The senior administration official says the accusation against the MSS, for both the Exchange attacks and the cyber operations, was brought to the attention of China’s government before Monday’s announcement.
“We’ve raised our concerns about both the Microsoft incident and the [People’s Republic of China’s] broader malicious cyber activity with senior PRC government officials, making clear that the PRC’s actions threaten security, confidence and stability in cyberspace,” the senior administration official says. “The U.S. and our allies and partners are not ruling out further actions to hold the PRC accountable.”
And while there were no formal sanctions issued against the Chinese government or the MSS, the Biden administration included the U.K., the European Union and NATO in Monday’s announcement to strengthen its case against China and its cyber operations.
“Responsible states do not indiscriminately compromise global network security nor knowingly harbor cybercriminals – let alone sponsor or collaborate with them,” says Secretary of State Anthony Blinken. “These contract hackers cost governments and businesses billions of dollars in stolen intellectual property, ransom payments and cybersecurity mitigation efforts, all while the MSS had them on its payroll.”