The U.S. had barely begun its recovery from the SolarWinds compromise, when another large-scale, state-sponsored cyberattack came to light in January. Like the SolarWinds hack, the Microsoft Exchange Server data breach exploited several zero-day vulnerabilities and has been attributed to a nation-state. But unlike SolarWinds, while the Microsoft attack was initially a targeted attack, it went on to create widespread collateral damage, leading some commentators to characterize it as “reckless.” Microsoft has attributed the compromise to a Chinese state-sponsored espionage group called “Hafnium.”
Recent U.S. sanctions against Russia, in part motivated by the SolarWinds attack, have given rise to an expectation that the U.S. will respond against China for its alleged role in the Microsoft hack. Yet, so far, the U.S. response has been practical rather than symbolic, and domestic rather than geopolitical. More generally, invocations by the U.S. of the rules-based international order ring hollow given the lack of agreed norms for responsible state behavior in cyberspace.
No one expects the Biden administration will be soft on China. There is bipartisan support in the U.S. to maintain a strong line, particularly on tech. From its initial promises to “hold Beijing accountable for its abuses of the international order” to the frosty exchanges at the high-level bilateral meeting in Alaska, the White House is positioning the U.S. for “extreme competition” with its most potent peer rival since the end of the Cold War.
Some optimists were hopeful that climate diplomacy, such as Biden’s Earth Day climate summit last week, would provide an opportunity for resetting the relationship, given that both the U.S. and China will need to take radical action if climate change targets are to be met. But at last week’s summit, specific, ambitious commitments to reduce emissions by the U.S. and its allies were met with vague words from Chinese President Xi Jinping, even if the language was warmer and more diplomatic than in recent exchanges.
In this context, the Microsoft breach poses a dilemma for the new administration: How to react appropriately without derailing an already fraught relationship. The attack goes further than regular espionage and can be contrasted with SolarWinds both because of its widespread impact and also because, rather than quietly withdrawing after being exposed, the attackers rushed to install “backdoors” on the targeted servers to ensure prolonged access to them. In so doing, they left victims vulnerable to a tsunami of attacks by other bad actors who could easily exploit the compromise. If SolarWinds merited a strong political response, the Microsoft Exchange hack is even more deserving.
The Microsoft Exchange compromise used zero-day exploits—referring to the number of days the vendor has to remedy a vulnerability after discovery—to install code that allowed the actors to gain full access to affected servers. Web shells were then installed to enhance the attackers’ remote access and control. Using a combination of four zero-day exploits, the attackers used the affected servers to access different parts of the victim’s network.
Microsoft Exchange is one of the most popular email servers and is used by organizations worldwide. With access to emails, hackers can also pore through users’ contacts, the content of their correspondence and any attached documents to learn almost everything there is to know about them. The Microsoft Exchange breach was initially estimated to have affected more than 30,000 U.S. organizations. Shodan, a service that monitors vulnerabilities in connected devices, logged more than 250,000 potentially vulnerable servers.
The Microsoft Exchange data breach poses a dilemma for the new administration: How to react appropriately without derailing an already fraught relationship with China.
Hafnium, the group accused of the attack, has been linked to Chinese espionage and usually targets groups that would typically interest a government, such as think tanks, political entities and law firms, among others. However, this attack went beyond espionage and has been described as a “pillage everything model.” Once the group knew that Microsoft had learned of the compromise and would try to patch their servers, it essentially scanned everything—even targets that espionage groups would normally have no interest in—and further compromised all the affected servers, leaving them all vulnerable to further exploits from other criminal cyber groups. This is a vastly different tactic to the one deployed by the SVR, the Russian espionage outfit accused of the SolarWinds compromise. That attack only targeted traditional groups of interest for espionage, and the backdoor it installed acted as a kill switch for targets that would not be of interest, thereby limiting collateral damage.
The Biden administration reacted decisively to the Microsoft incident, but so far, those actions have been practical, aimed at limiting damage to domestic victims. Shortly after the attack was made public, in March, the White House stood up what it called the Unified Coordination Group, which for the first time brought in U.S. industry and cybersecurity experts to assist the government in crafting the response.
So far, that response has been extraordinary, culminating in a court-authorized operation by the FBI to essentially use the vulnerability introduced by the hackers to remove the malicious web shells from hundreds of affected computers—with no mention of the owners’ consent and without being required to inform them of the intervention, if initial efforts to make contact with them failed.
Further along, the U.S. response to the Microsoft Exchange breach, if more is on the way, may not be in the form of cyber retaliation. There have been suggestions of responding with economic sanctions, such as adding more Chinese companies to the Commerce Department’s list of entities prohibited from importing or exporting technologies; this is the approach that has been used with Huawei in relation to 5G and semiconductors. The use of entities lists has been effective at containing China’s tech and trade ambitions, at least in the short term, but it has also disrupted Western supply chains.
The operation to understand and defend against the scale of the breach is ongoing, and we may not yet have seen the Biden administration’s full response. Once the practical task of mitigating the Microsoft Exchange attack has been completed, there remains a political judgment to be made on how to deter states from sponsoring such reckless cyberattacks in the future.
For the U.S. not to take further action against those responsible for the Microsoft attack, with its “pillage everything” model, after such a strong response to the much more restrained SolarWinds compromise, risks sending mixed messages to America’s cyber adversaries and could even incentivize the wrong type of behavior in the future.
Top U.S. officials, including Biden and Secretary of State Antony Blinken, have repeatedly emphasized the need for China to adhere to the rules-based international order. Yet, both the SolarWinds and Microsoft Exchange episodes show that Western strategies of “naming and shaming” state actors for their cyber misdeeds have not been effective, even as crafting more aggressive responses remains challenging. Biden might do well to focus at least as much attention on making good on his promise to establish “international rules of the road” in cyberspace.
Emily Taylor is the CEO of Oxford Information Labs, and an associate fellow with the International Security Program at Chatham House. She is also the editor of the Journal of Cyber Policy, a research associate at the Oxford Internet Institute, and an affiliate professor at the Dirpolis Institute at the Sant’Anna School of Advanced Studies in Pisa. She has written for The Guardian, Wired, Ars Technica, the New Statesman and Slate. Follow her on Twitter @etaylaw. Her column appears each Tuesday.