The Biden government and several allies said Monday morning that China’s civilian intelligence service was responsible for a widespread hacking campaign that hit tens of thousands of companies around the world earlier this year.
According to a senior Biden administration official, hackers affiliated with China’s Ministry of State Security (MSS) carried out the massive operation that exploited vulnerabilities in Microsoft Exchange Server software or Microsoft’s email software. The attack was so widespread that the White House National Security Council formed an emergency response group at the time to combat the offensive.
The US and its allies plan to explain how the MSS hired criminal hackers on a contractual basis to carry out Beijing’s hacking operations, according to the official.
“MSS knowingly uses criminal contract hackers to carry out unauthorized cyber operations worldwide,” said the senior administrative official during a call on Sunday.
The National Security Agency, the FBI and the Department of Homeland Security (CISA) cybersecurity agency have warned organizations against the hacking of Microsoft Exchange Server for months, but this is the first time the US government has officially attributed the campaign to the Chinese government. Microsoft security researchers had previously attributed the operation to actors operating in China, but no connection with the MSS.
The European Union, NATO, Japan and members of the Five Eyes Intelligence Sharing Alliance – the UK, Australia, Canada and New Zealand – will also criticize the MSS hacking attacks on Monday, the official said. It is the first time NATO has publicly attributed this type of activity to China.
The US and its allies also plan to blame the contract hackers who work for MSS for running hacking campaigns on the side for their own personal gain. Some intelligence hackers are carrying out ransomware operations, the official said. In one case, the hackers targeted an American company and made a ransom demand in the millions.
The U.S. Justice Department announced Monday that a federal grand jury indicted four Chinese citizens in May and that residents coordinated a hacking campaign against victims in the U.S. and abroad on behalf of the MSS between 2011 and 2018. It was unclear whether other charges related to the MSS were in preparation.
US intelligence has long observed hackers with ties to the Russian or Iranian government working on personal gain. But the MSS appears to have taken the usual game book of hackers working in dual roles, the administration official said.
“On the Russian side… we sometimes see people doing undeclared work. And we see … some connections between Russian intelligence services and individuals, “the official said. “But … the use of criminal contract hackers by MSS to carry out unauthorized cyber operations worldwide is clear.”
Contract hackers have long been the bread and butter of the MSS, according to a mysterious, anonymous group called Intrusion Truth, who posted research on a blog devoted to uncovering hackers working for the MSS through bogus companies and contracts. Other researchers, including those of cybersecurity firm FireEye, have previously said that some hackers affiliated with the Chinese government appear to be conducting financially-oriented hacking operations for their personal gain.
China’s embassy in the US did not immediately return a request for comment.
The government’s decision to highlight China’s role in the recent wave of hacking comes at a time when the US government is grappling with a wave of cyberattacks that has also targeted Russian-speaking cyber criminals and hackers affiliated with the Russian government in recent months American companies started. The onslaught of attacks has led the Biden government to thwart Russian hacker campaigns and tricked Russian President Vladimir Putin into punishing hackers who launch attacks from his country.
And while Putin’s response to Biden’s requests for ransomware hacking has been lackluster by some measures – the Kremlin says it has not received requests from US authorities to hold hackers accountable, a statement the Biden administration denies – the US Government has taken swift action to keep Russia’s feet in the fire in recent months The government has expelled 10 Russian diplomats and imposed sanctions on a number of individuals and companies after a hacking operation, the US government’s Russian Foreign Intelligence Service (SVR) says that launched against US corporations and several federal agencies.
But if the government’s response to the Russian hacking attacks was quick and reasonably comprehensive, the government’s response to the Chinese hacking attacks may lack weight.
The Chinese hacker’s approach to hacking Microsoft Exchange Server was far from strategic, but indiscriminate and bold, says Allison Nixon, who worked with companies vulnerable to Chinese hacking operations.
“They didn’t seem to care if the victim machines belonged to a strategic target or a rival nation,” Nixon, chief research officer at cybersecurity consultancy Unit 221B, told The Daily Beast.
According to Nixon, the Chinese hackers did not leave vulnerable systems undamaged and made companies vulnerable to ransomware attacks.
“You hit all of the population at risk,” said Nixon. “If this increasingly damages civil systems and wears people down with this constant attack, we have to draw a line somewhere.”
Dmitri Alperovitch, the former CTO of cybersecurity firm CrowdStrike – the company that traced the 2016 Democratic National Committee hacker to the Russian government hackers – told The Daily Beast the US government should put more pressure on the Chinese government.
“Given that sanctions have already been imposed on virtually every other rogue cyber nation-state, it is a blatant oversight not to apply them against China,” said Alperovitch, now Executive Chairman of Silverado Policy Accelerator. “The government deserves credit for the formidable international coalition of atrocities against China’s ruthless Microsoft Exchange hack, and I hope that the next logical step will include appropriate criminal charges and the first sanctions against China [the People’s Republic of China] Actors for such violations. “
The Biden government has not ruled out putting more pressure on Beijing, the senior government official said, noting that US officials have been in contact with senior Chinese government officials to warn them that their brazen hacking will have consequences.
“We are not ruling out further action to bring the PRC to justice, ”the official said. “We are also aware that no action can change the behavior of the PRC … We have raised our concerns about both the Microsoft incident and the wider PRC malicious cyber activities to senior PRC government officials and made it clear that the Measures taken by the PRC threaten security and trust and stability in cyberspace. “
Other countries are expected to attribute the activity to Beijing in the coming days, the official said.
Beijing could respond to the naming and shaming by the US, EU and the Allies, but bringing certain hackers to justice will be crucial in containing these types of attacks, says Phil Reiner, the Institute for Security’s chief executive officer Technology.
“The Biden administration continues to give priority to working with international partners to enforce global rules and norms – that is refreshing and welcome. Clarifying with other national leaders that these malicious and dangerous cyber activities are not allowed is an effective tool, but one has to wonder whether further measures – such as indictments and / or sanctions – are imminent, “said Reiner, who previously in the office of Secretary of Defense for Policy at the Pentagon, told The Daily Beast. “International pressure could be seen as a powerful tool in China, but we should also hold those who carried out these attacks accountable.”