White House Accuses China of Microsoft Exchange Attack
Russia may have drawn the lion’s share of scorn for a recent string of cyberattacks against U.S. and global interests, but the Biden administration and a bevy of allies and partners blame China for the assault on Microsoft’s email system.
Noting the long history of hackers working for the PRC Ministry of State Security (MSS) “in ransomware attacks, cyber-enabled extortion, crypto-jacking, and rank theft from victims” globally for financial gain, the White House fingered MSS-linked actors “with a high degree of confidence” for the “cyber espionage operations” that exploited zero-day vulnerabilities in Microsoft Exchange Server that were disclosed in early March 2021.
“Before Microsoft released its security updates, MSS-affiliated cyber operators exploited these vulnerabilities to compromise tens of thousands of computers and networks worldwide in a massive operation that resulted in significant remediation costs for its mostly private sector victims,” according to a White House statement backed by partners, including the EU, the UK and NATO.
“The most positive development here is the possible formation of an allied coalition to establish and defend norms in cyberspace. We suffer damage because cyberspace lacks the governing protocols that limit, say, chemical and nuclear warfare,” said Hitesh Sheth, president and CEO at Vectra.
“Today marks a significant escalation in cyber politics with the formal accusation of China in an ongoing, widespread cyber offensive which includes targeting Microsoft Exchange servers back in March and also an undisclosed ransomware victim,” said Joseph Carson, chief security scientist and advisory CISO at Thycotic Centrify. “This indicates that it is not just about a destabilization campaign, but [there is] also a financial motivation.”
In recent months, President Biden has laid the groundwork for taking a harder line against nation-states like China and Russia for their malicious activities. Today’s announcement, meant to expose China’s use of criminal hackers to execute illegal, for-profit cybercriminal operations, is just one action in Biden’s commitment to creating “a common cyber approach with our allies and laying down clear expectations and markers on how responsible nations behave in cyberspace,” the White House said. “Working collectively enhances and increases information sharing, including cyber threat intelligence and network defense information, with public and private stakeholders and expanded diplomatic engagement to strengthen our collective cyber resilience and security cooperation.”
Sheth noted, “If the U.S. can lead a NATO-style coalition of influential nations to stabilize cyberspace, it will likely have long-term security benefits.”
Contending that “government’s primary role in cybersecurity should be to set policies for a more secure digital world while the private sector innovates,” Sheth said the White House’s move “looks like a promising step in the right direction.”
In particular, the Biden administration has taken numerous steps aimed at China, to curb its illicit cyberactivity and shore up the cybersecurity posture of the U.S. and its allies, including:
- Taking “proactive network defense actions to prevent systems compromised through the Exchange Server vulnerabilities from being used for ransomware attacks or other malicious purposes.”
- Creating “a new model for cyber incident response by including private companies in the Cyber Unified Coordination Group (UCG) to address the Exchange Server vulnerabilities.”
To better arm network defenders against China’s encroachment, the National Security Agency (NSA), the Cybersecurity and Infrastructure Agency (CISA), and the FBI issued a cybersecurity advisory that provides detailed information on techniques used by China in other attacks against the U.S. and its allies.
And the Justice Department is bringing criminal charges against four MSS hackers involved in a multi-year campaign aimed at foreign governments as well as health care, maritime, aviation, education, defense and other sectors. Malicious activities included stealing intellectual property, trade secrets, confidential business data and, in a particularly unsavory attack, attempting to steal research for an Ebola vaccine.
Important steps, all. But the administration’s actions stopped short of imposing the same type of sanctions on China that the U.S. has levied against Russia.
“While the accusation points the finger at China, it does not bring enough pressure to change China’s increasing cyber offensive campaigns,” said Carson. “Countries must collaborate collectivity to hold nations accountable for cyberattackers that operate within their borders. Otherwise, we will continue to see an escalation in cyberattacks without any action.”
But Mark Kedgley, CTO at New Net Technologies, cautioned that while it has been widely reported that China is behind the so-called Hafnium attacks, which compromised tens of thousands of Exchange servers, “it is never easy to definitively attribute any single attack to a particular adversary.”
North Korea was believed to be behind an attack on Sony Pictures in 2015, though it took several weeks before then-president Obama issued an executive order detailing sanctions. “Bullying North Korea is easy,” Kedgley said, “but muscling China is way more difficult—and likely to come with a heavy price of self-harm—so strong words rather than actions are probably as far as this will go.”
