The Biden administration took formal steps today to pin the Microsoft Exchange software supply chain hack disclosed earlier this year on people connected with the Chinese government’s Ministry of State Security (MSS).
The cyberattack – which impacted at least 30,000 business and government customers in the United States – was attributed by Microsoft in early March to the Chinese-based “Hafnium” hacking group. Microsoft described the group as a “highly skilled and sophisticated actor” that launched its attacks from virtual private servers located in the United States and aimed to steal data from industry, disease researchers, higher education providers, defense contractors, and policy think tanks.
The top-line news from today’s White House announcement is tying the Hafnium group and its Microsoft Exchange attack directly to the Chinese government.
To that point, the White House said it was “attributing with a high degree of confidence that malicious cyber actors affiliated” with the Chinese MSS “conducted cyber-espionage operations utilizing the zero-day vulnerabilities in Microsoft Exchange Server disclosed in early March 2021.”
Before Microsoft released security updates in response to the hack, “MSS-affiliated cyber operators exploited these vulnerabilities to compromise tens of thousands of computers and networks worldwide in a massive operation that resulted in significant remediation costs for its mostly private sector victims,” the White House said.
As a result, the Biden administration said it has “raised our concerns about both this incident and the [Chinese government’s] broader malicious cyber activity” with the government, and made clear that those actions “threaten security, confidence, and stability in cyberspace.”
DoJ Brings Charges
At the same time, the Department of Justice (DoJ) said that a Federal grand jury in San Diego on July 16 returned an indictment against four Chinese nationals – three of them who worked for a “provincial arm” of the Chinese MSS – on a variety of criminal charges for their alleged participation in government-sponsored cyber attacks from 2011 to 2018 – but not specifically the Microsoft Exchange attack.
According to DoJ, the indicted individuals operated through a front company – the now-defunct Hainan Xiandun Technology Development Co. – in an attempt to hide the role of the Chinese government in malware-driven attacks on computers systems of “dozens” of U.S. companies, universities, and “governmental entities.”
The indictment “alleges that much of the conspiracy’s theft was focused on information that was of significant economic benefit to China’s companies and commercial sectors, including information that would allow the circumvention of lengthy and resource-intensive research and development processes,” DoJ said.
The alleged hacking campaign targeted numerous countries including Germany and the United Kingdom and resulted in the theft of trade secrets and confidential business data across a range of technologies. DoJ said those include infectious diseases, “submersibles and autonomous vehicles, specialty chemical formulas, commercial aircraft servicing, proprietary genetic-sequencing technology and data, and foreign information to support China’s efforts to secure contracts for state-owned enterprises within the targeted country.”
“These criminal charges once again highlight that China continues to use cyber-enabled attacks to steal what other countries make, in flagrant disregard of its bilateral and multilateral commitments,” Deputy Attorney General Lisa Monaco said in a statement.
“The breadth and duration of China’s hacking campaigns, including these efforts targeting a dozen countries across sectors ranging from healthcare and biomedical research to aviation and defense, remind us that no country or industry is safe,” she said.
Paul Abbate, Deputy FBI Director, said the bureau, “alongside our Federal and international partners, remains committed to imposing risk and consequences on these malicious cyber actors here in the U.S. and abroad.”
“We will not allow the Chinese government to continue to use these tactics to obtain unfair economic advantage for its companies and commercial sectors through criminal intrusion and theft,” he said. “With these types of actions, the Chinese government continues to undercut its own claims of being a trusted and effective partner in the international community.”
White House Policy Aim
As part of today’s name-and-shame of the Chinese MMS, the White House is putting the Russian and Chinese governments in similar policy gunsights on cyber-attack issues – especially for either sponsoring directly or indirectly blessing, attacks from those countries.
Among other allegations, the White House said that “hackers with a history of working” for the Chinese MSS have “engaged in ransomware attacks, cyber-enabled extortion, crypto-jacking, and rank theft from victims around the world, all for financial gain.”
“The [Chinese government’s] unwillingness to address criminal activity by contract hackers harms governments, businesses, and critical infrastructure operators through billions of dollars in lost intellectual property, proprietary information, ransom payments, and mitigation efforts,” the administration said.
The Biden administration also took the Chinese government to task for backsliding on public commitments it made during the Obama administration to refrain from cyber attacks that aimed to steal intellectual property for commercial advantage.
President Biden’s public pressure on Russian President Vladimir Putin has followed along similar lines, including public admonishments of the Russian government for either allegedly backing cyberattacks against the U.S. and others, or allowing them to be launched from that country. The outcome of that effort so far is a commitment by both countries to work on agreements that exclude critical infrastructure from attack lists, but the administration said the result of that work won’t be clear for up to a year.
The Biden administration also pointed to international support for its actions against China-based hacking, after having laid the groundwork for common understandings last month at NATO and G-7 meetings last month.
Speaking from the White House today, President Biden twinned the two situations.
“To the best of my knowledge – and I’m getting a report tomorrow morning on this in detail – my understanding is that the Chinese government, not unlike the Russian government is not doing this themselves, but are protecting those who are doing it, maybe even accommodating them being able to do it,” the president said.
In its own statement, the United Kingdom said it was “joining like-minded partners to confirm that Chinese state-backed actors were responsible for gaining access to computer networks around the world via Microsoft Exchange servers.”
“The cyberattack on Microsoft Exchange Server by Chinese state-backed groups was a reckless but familiar pattern of behavior,” Foreign Secretary Dominic Raab said. “The Chinese Government must end this systematic cyber sabotage and can expect to be held account if it does not.”
New Cyber Advisories
Finally, today’s White House announcement was followed by a new joint cybersecurity advisory from the National Security Agency (NSA), the Cybersecurity and Infrastructure Agency (CISA), and the FBI that provide more details on Chinese state-sponsored cyber techniques used to target the United States and allied networks, including those used in the Microsoft Exchange hack.
“By exposing these techniques and providing actionable guidance to mitigate them, the U.S. Government continues to empower network defenders around the world to take action against cybersecurity threats,” the White House said.
“This Joint Cybersecurity Advisory provides information on tactics, techniques, and procedures (TTPs) used by Chinese state-sponsored cyber actors,” CISA said in announcing the joint advisory. The latest communication, the agency said, “builds on previous NSA, CISA, and FBI reporting to inform federal, state, local, tribal, and territorial government, CI, DIB, and private industry organizations about notable trends and persistent TTPs through collaborative, proactive, and retrospective analysis.”
Sean Connelly, TIC Program Manager and Senior Cybersecurity Architect at CISA, commented in a Twitter post today on the new advisory, and urged the advisory be viewed through three lenses: “1) What are the TTPs for the specific attack; 2) Can I learn anything towards a greater trend or pattern?; and 3) As orgs move to a zero trust posture, what defenses or solutions will help mitigate against these types of attacks.”