The United States, the European Union, NATO and other world powers on Monday accused the Chinese government of an array of malicious cybersecurity incidents, blaming its Ministry of State Security (MSS) and hackers for the security attack on Microsoft's email server disclosed in early March 2021.
The condemnations represent the first time NATO has denounced the alleged Chinese cyberattacks and follow the Biden administration's pledge in June to rally U.S. allies against the People's Republic of China (PRC) malicious cyber activities, the Washington Post reports. "Today, countries around the world are making it clear that concerns regarding the PRC’s malicious cyber activities is bringing them together to call out those activities, promote network defense and cybersecurity, and act to disrupt threats to our economies and national security," a White House statement reads.
Despite Microsoft claiming that its Exchange servers were compromised by a Beijing-backed hacking group, this is the first time the U.S. and its allies have formally assigned blame for the Microsoft Exchange hack, which compromised tends of thousands of computers and networks worldwide in a massive operations that resulted in significant remediation costs for its mostly private sector victims. The PRC's actions, says the White House statement, "threaten security, confidence, and stability in cyberspace."
By formally accusing China's MSS-affiliated cyber operators, the U.S. and allies hope to strengthen collective cyber resilience and security cooperation, and put forward a common cyber approach with allies and lay down "clear expectations and makers on how responsible nations behave in cyberspace."
Cybersecurity experts claim that assigning blame to the PRC marks a significant escalation in cyber politics.
"Today marks a significant escalation in cyber politics with the formal accusation of China in an ongoing, widespread cyber offensive which includes targeting Microsoft Exchange servers back in March and also an undisclosed ransomware victim. This indicates that it is not just about a destabilization campaign, but also a financial motivation," says Joseph Carson, chief security scientist and Advisory CISO at ThycoticCentrify, a Washington D.C. based provider of cloud identity security solutions.
However, merely accusing China of conducing malicious cyberattacks will not prevent future cyberattacks, Carson adds. "While the accusation points the finger at China, it does not bring enough pressure to change China’s increasing cyber offensive campaigns. Countries must collaborate collectivity to hold nations accountable for cyberattackers that operate within their borders. Otherwise we will continue to see an escalation in cyberattacks without any action."
Hitesh Sheth, President and CEO at Vectra, a San Jose, Calif.-based AI cybersecurity company, claims that the most positive development in the announcement is the possible formation of an allied coalition to establish and defend norms in cyberspace. "We suffer damage because the cyber sphere lacks the governing protocols that limit, say, chemical and nuclear warfare. If the U.S. can lead a NATO-style coalition of influential nations to stabilize cyberspace, it will likely have long-term security benefits. Government’s primary role in cybersecurity should be to set policies for a more secure digital world while the private sector innovates. This looks like a promising step in the right direction."
The U.S. also condemned China of working with criminal contract hackers to conduct unsanctioned cyber operations globally, including for their own personal profit, including engaging in ransomware attacks, cyber enabled extortion, crypto-jacking, and rank theft from victims around the world, all for financial gain.
And, in some cases, the U.S. says the PRC government-affiliated cybercriminals have conducted ransomware operations against private companies that have included ransom demands of millions of dollars.
While it has been widely reported that China was behind the Microsoft hack, it is never easy to definitely attribute any single attack to a particular adversary, notes Mark Kedgley, CTO at New Net Technologies (NNT), now part of Netwrix, a provider of change management software. "When the Sony Pictures attack was first reported, many attributed the attack to North Korea based on the evidence available, however it wasn’t until several weeks later that an Executive Order was issued with sanctions. Bullying North Korea is easy, but muscling China is way more difficult and likely to come with a heavy price of self-harm so strong words rather than actions are probably as far as this will go. In the meantime anyone concerned about the Hafnium attack should review their hardened build standard."
In addition, the U.S. Department of Justice imposed costs and announced criminals charges against four MSS hackers, who allegedly targeted foreign governments and entities in key sectors, including maritime, aviation, defense, education, and healthcare in a least a dozen countries. DOJ documents outline how MSS hackers pursued the theft of Ebola virus vaccine research and demonstrate that the PRC’s theft of intellectual property, trade secrets, and confidential business information extends to critical public health information.
"Much of the MSS activity alleged in the Department of Justice’s charges stands in stark contrast to the PRC’s bilateral and multilateral commitments to refrain from engaging in cyber-enabled theft of intellectual property for commercial advantage," says the White House statement.
The National Security Agency, the Cybersecurity and Infrastructure Agency, and the Federal Bureau of Investigation also released a cybersecurity advisory to detail additional PRC state-sponsored cyber techniques used to target U.S. and allied networks, including those used when targeting the Exchange Server vulnerabilities.