The United States and its Nato, EU and Five Eyes allies on Monday jointly accused the Chinese government of using “criminal contract hackers” to carry out the hacking of Microsoft Exchange’s mail servers earlier this year that impacted tens of thousands of entities around the world.
The White House has called the move “unprecedented”. This is the first instance of the Nato, a military alliance of 30 nations, condemning China for cyberattacks.
The collection of countries in this effort is the largest to jointly denounce aggressive cyber operations by China. The EU has 27 members, and the Five Eyes is an intelligence sharing pact of the US, the UK, Canada, Australia and New Zealand.
It could not be immediately ascertained if India, which was also impacted by the Microsoft hacking, was invited to join or chose not to.
A senior Biden administration official, who briefed reporters on condition of anonymity, said “we’re expecting additional countries in the coming weeks”.
The United States and its allies are “exposing the PRC’s (People’s Republic of China) use of criminal contract hackers to conduct unsanctioned cyber operations globally, including for their own personal profit”, the White House said in a statement on Monday.
It added that the US and its allies are “attributing with a high degree of confidence that malicious cyber actors” of China’s ministry of state security, which is the country’s civilian intelligence agency, “conducted cyber espionage operations utilising the zero-day vulnerabilities in Microsoft Exchange Server”, which was disclosed by the company in March.
These were vulnerabilities in is Exchange Server email and calendar software. While they had been around for 10 years, Chinese hackers had been exploiting them since at least January.
The US and its allies did not announce retaliatory measures of the kind used against Russia, such as sanctions. But while not ruling out further action against China, the senior Biden administration official said, “We really focused initially in bringing other countries along with us. And this is really an unprecedented group of allies and partners holding China accountable.”
The official underlined “it’s the first time that Nato has condemned PRC’s cyber activities”.
The US justice department has announced criminal charges against four MSS hackers addressing “activities concerning a multi-year campaign targeting foreign governments and entities in key sectors, including maritime, aviation, defence, education, and healthcare in a least a dozen countries”.
They refer specifically also to how the MSS hackers stole Ebola virus vaccine research and “demonstrate that the PRC’s theft of intellectual property, trade secrets, and confidential business information extends to critical public health information”.
Separately, the US National Security Agency, the Cybersecurity and Infrastructure Agency of the department of homeland security, and the Federal Bureau of Investigation released a cybersecurity advisory of techniques that Chinese hackers used to target US and allied networks, including those used when targeting the Microsoft Exchange Server vulnerabilities.
The US believes Chinese hackers are generally more closely tied to the Chinese government than the Russians are to theirs. On the Russian side, the US administration official said, “we sometimes see individuals moonlighting. And we see, you know, some connections between Russian intelligence services and individuals. But this kind of… use of criminal contract hackers to conduct unsanctioned cyber operations globally is distinct”.
The Chinese hackers’ entire range of activities – cyber-enabled extortion and crypto-jacking – are intended, the official said, “for financial gain of PRC government-affiliated cyber operators”.
The official added that the MSS “uses criminal contract hackers to conduct unsanctioned cyber operations globally, including for their own personal profit”.
The US is aware of instances in which PRC government-affiliated cyber operators have carried out ransomware operations against private companies and millions of dollars of ransom were demanded.
No details were shared about these companies, which included an American firm.