US, Britain and EU blame China for Microsoft Exchange email server hack

·8-min read

The US, Britain, the EU and Nato on Monday accused Beijing of sponsoring a massive hack of the Microsoft Exchange email server discovered earlier this year, which compromised accounts worldwide, and vowed to work with other countries to halt what the US State Department called China’s “destabilising behaviour in cyberspace”.

The State Department said “cyber actors”, working with China’s Ministry of State Security (MSS), “exploited vulnerabilities in Microsoft Exchange Server in a massive cyber espionage operation that indiscriminately compromised thousands of computers and networks, mostly belonging to private sector victims”.

A senior White House official briefing reporters in Washington said: “The US and our allies and partners are not ruling out further actions to hold the [People’s Republic of China] accountable.”

Do you have questions about the biggest topics and trends from around the world? Get the answers with SCMP Knowledge, our new platform of curated content with explainers, FAQs, analyses and infographics brought to you by our award-winning team.

The announcement added that the US had worked with allies and partners to identify the source of the hacks, which “cost governments and businesses billions of [US] dollars in stolen intellectual property, ransom payments, and cybersecurity mitigation efforts, all while the MSS had them on its payroll”.

More than 250,000 servers were targeted worldwide, according to the British government. Photo: AP
More than 250,000 servers were targeted worldwide, according to the British government. Photo: AP

“The Chinese government, not unlike the Russian government, is not doing this themselves but are protecting those who are doing it, and maybe even accommodating them being able to do it,” US President Joe Biden told White House reporters after the announcement.

China’s embassy in Washington called its allegations of cyberespionage “irresponsible”, “ill-intentioned” and lacking in evidence.

“The Chinese government and relevant personnel never engage in cyberattacks or cyber theft,” embassy spokesman Liu Pengyu said. “We urge the US to immediately stop its ‘empire of hacker’ campaign and stop illegally damaging other countries’ interests and security.”

“US allies must also remember that the US agencies have been engaging in large-scale, organised and indiscriminate cyber intrusion, surveillance and monitoring activities on foreign governments, institutions, enterprises, universities and individuals, including on its allies,” Liu said.

From US to Asia, thousands of organisations fall victim to Microsoft email hack

Asked why Washington had not announced any sanctions along with the cyber hacking allegations, White House press secretary Jen Psaki said the inclusion of Nato in Monday’s chorus of denunciations represented an escalated response.

“I would note that we are actually elevating and taking steps to not only speak out publicly, but certainly take action as it relates to problematic cyber activities from China – in a different way, but as we have from Russia as well,” she said.

Monday’s announcements add to a growing list of cyber espionage operations that the US government has tied to China’s MSS, including an indictment last year of two Chinese nationals in connection with schemes that allegedly aimed to net information on Covid-19 vaccines, military weapons and human rights activists.

Multiple federal agencies issued warnings to subnational government authorities, operators of critical infrastructure and private companies on Monday to take extra precautions to adapt to the evolving capabilities of hackers working with the Chinese government.

“Chinese state-sponsored cyber actors remain agile and cognisant of the information security community’s practices,” the Cybersecurity & Infrastructure Security Agency (CISA) said in an alert. “These actors take effort to mask their activities by using a revolving series of virtual private servers (VPSs) and common open-source or commercial penetration tools.”

The US Justice Department said it had charged four mainland Chinese with establishing a front company to carry out schemes that targeted users in 12 countries. Photo: US Federal Bureau of Investigation
The US Justice Department said it had charged four mainland Chinese with establishing a front company to carry out schemes that targeted users in 12 countries. Photo: US Federal Bureau of Investigation

CISA added: “Chinese state-sponsored cyber actors consistently scan target networks for critical and high vulnerabilities within days of the vulnerability’s public disclosure. In many cases, these cyber actors seek to exploit vulnerabilities in major applications, such as Pulse Secure, Apache, F5 Big-IP, and Microsoft products.”

The Information Technology & Innovation Foundation (ITIF), a Washington-based policy think tank that is financially supported by a wide range of technology companies including Microsoft, aircraft maker Boeing and Shenzhen-based drone maker DJI, issued a statement welcoming the Biden administration’s announcement.

“Hacking practices backed by the Chinese government have been ignored on the international stage for years – treated as something not to be mentioned in polite company,” said Daniel Castro, ITIF vice-president. “But the Biden administration’s move to publicly accuse China of a recent cyberattack suggests that Beijing’s free pass is over.

“It’s not clear that naming and shaming will be enough, though,” Castro added. “If China continues to brazenly back cyberattacks against its trading partners, the United States and its allies should escalate their response.”

Proposed WHO Covid-19 origins study ‘inconsistent’ with China’s position

The British government announcement said the cyberattacks targeted more than 250,000 servers worldwide.

The hack began in January and Microsoft disclosed it on March 2, crediting third-party security consultant Volexity for its discovery.

Separately, the US Justice Department said it had charged four mainland Chinese with establishing a front company, Hainan Xiandun Technology Development, a now-disbanded business that allegedly worked with the Hainan State Security Department (HSSD) to carry out cyber espionage schemes that targeted users in 12 countries including the US, Britain, Canada, Indonesia, Malaysia and Saudi Arabia.

The Justice Department statement claimed that HSSD officers Ding Xiaoyang, Cheng Qingmin and Zhu Yunmin managed a network of computer hackers and linguists at Hainan Xiandun and other MSS front companies “to conduct hacking for the benefit of China and its state-owned and sponsored instrumentalities” and that the operation was run out of China’s southeastern island province of Hainan to “obfuscate the Chinese government’s role”.

Wu Shurong, as part of Hainan Xiandun, was accused of hacking into computer systems and supervising other hackers .

Stolen trade secrets and information included technologies used for submersibles and autonomous vehicles, commercial aircraft servicing, genetic-sequencing technology and data, and foreign information to support efforts to secure contracts for state-owned enterprises looking to build high-speed railways and other development projects in third countries, the Justice Department alleged.

At research institutes and universities, the conspiracy targeted infectious-disease research related to Ebola, Mers, HIV/Aids, Marburg and tularaemia, according to the Justice Department.

“Widespread, credible evidence demonstrates that sustained, irresponsible cyber activity emanating from China continues,” said the British government statement. “The Chinese government has ignored repeated calls to end its reckless campaign, instead allowing its state-backed actors to increase the scale of their attacks and act recklessly when caught.”

The British statement also tied China’s MSS to cyberattacks allegedly committed by the cyber espionage group Advanced Persistent Threat 40 (APT40), which has been linked to activity in countries involved in China’s Belt and Road infrastructure Initiative. The EU Council made the same accusation.

‘Competition over cooperation’ leaves regular US-China talks up in the air

“The EU and its member states, together with partners, expose malicious cyber activities that significantly affected our economy, security, democracy and society at large,” it said. “The EU and its member states assess these malicious cyber activities to have been undertaken from the territory of China.

“We have also detected malicious cyber activities with significant effects that targeted government institutions and political organisations in the EU and member states, as well as key European industries,” the EU Council said.

“These activities can be linked to the hacker groups known as Advanced Persistent Threat 40 and Advanced Persistent Threat 31 and have been conducted from the territory of China for the purpose of intellectual property theft and espionage.”

Accusations by the US, the EU and other Western countries directed at China and Russia have become increasingly fierce as cyberspace has become a key area of competition and confrontation between Beijing and countries aligned with Washington, according to Shi Yinhong, a professor of international relations at Renmin University.

“With the increasing importance of information technology in the international community, confrontation in this area has become more important and will become more important in the future,” Shi said.

“The Chinese government, not unlike the Russian government, is not doing this themselves but are protecting those who are doing it, and maybe even accommodating them being able to do it,” said US President Joe Biden. Photo: Reuters
“The Chinese government, not unlike the Russian government, is not doing this themselves but are protecting those who are doing it, and maybe even accommodating them being able to do it,” said US President Joe Biden. Photo: Reuters

In an indication of this stronger stance, Norway’s Foreign Minister Ine Eriksen Søreide told reporters on Monday that she summoned a Chinese diplomat to protest against the “unacceptable” Microsoft Exchange cyberattack, which she said included the IT systems of her country’s parliament.

“We clearly told them that this sort of attack is unacceptable,” Agence-France Presse quoted Eriksen Søreide as saying.

China’s MSS and other parties in the county has been at the centre of other alleged high-profile cyberattacks in the US.

GE Aviation had worked with the US FBI for more than a year to lure Xu Yanjun, an alleged spy working for the MSS, into a law enforcement trap in Belgium in 2018. Xu was then extradited to the US and is now awaiting trial.

In 2019, a US federal grand jury charged Chinese national Wang Fujie in a hacking campaign described by the Justice Department at the time as “one of the worst data breaches in history”, an effort that yielded the personal data of 78 million people.

Additional reporting by Owen Churchill and Amber Wang

More from South China Morning Post:

This article US, Britain and EU blame China for Microsoft Exchange email server hack first appeared on South China Morning Post

For the latest news from the South China Morning Post download our mobile app. Copyright 2021.

Our goal is to create a safe and engaging place for users to connect over interests and passions. In order to improve our community experience, we are temporarily suspending article commenting