Following a push by the White House to address the ransomware crisis emanating from Russia and the imposition of sanctions on Russia for its spree of malicious cyber actions, the Biden administration has launched a multi-part strategy to shame another digital security adversary, China, into halting its digital malfeasance.
First, the administration formally accused China of breaching Microsoft’s Exchange email servers to implant what most experts consider reckless and damaging surveillance malware. Although Microsoft has long attributed that incident to a Chinese hacking group it calls HAFNIUM, the White House has now finally and officially acknowledged China’s role in that supply chain attack.
In a statement, the White House said it is attributing “with a high degree of confidence that malicious cyber actors affiliated with PRC’s [People’s Republic of China] MSS [Ministry of State Security] conducted cyber-espionage operations utilizing the zero-day vulnerabilities in Microsoft Exchange Server disclosed in early March 2021.”
Secretary of State Anthony Blinken said in a statement that “the United States government, alongside our allies and partners, has formally confirmed that cyber actors affiliated with the MSS exploited vulnerabilities in Microsoft Exchange Server in a massive cyber-espionage operation that indiscriminately compromised thousands of computers and networks, mostly belonging to private sector victims.”
Broad coalition of international partners supports the US
One group of allies is the European Union and its member states, which condemned China’s hacking efforts, a significant step given the economic and trading power China holds across Europe. “The compromise and exploitation of the Microsoft Exchange Server undermined the security and integrity of thousands of computers and networks worldwide, including in the member states and EU institutions,” the European Council of the EU said in a statement. “This irresponsible and harmful behaviour resulted in security risks and significant economic loss for our government institutions and private companies and has shown significant spill-over and systemic effects for our security, economy, and society at large.”
Another major US ally, NATO, denounced China for its digital incursions, a first for the organization. In a press release, NATO said that “We stand in solidarity with all those who have been affected by recent malicious cyber activities including the Microsoft Exchange Server compromise. Such malicious cyber activities undermine security, confidence, and stability in cyberspace.”
The UK, Canada and Australia also joined in chastising China. Paul Chichester, director of operations at the National Cyber Security Center (NCSC), an arm of the U.K.’s primary intelligence agency, GCHQ, said in a statement that China’s attack on Microsoft “is completely unacceptable, and alongside our partners, we will not hesitate to call it out when we see it.”
Canada’s Ministers of Foreign Affairs, National Defense, and Public Safety and Emergency Preparedness issued a joint statement saying, “Canada and its allies remain steadfast in their unity and solidarity in calling out irresponsible state-sponsored cyber activity.” Australia’s Ministers for Home Affairs, Foreign Affairs and Defenses also issued a joint statement saying that “Australia calls on all countries – including China – to act responsibly in cyberspace.”
APT40 identified as Chinese threat group behind Microsoft Exchange hack
The US, the UK and the EU attributed the Microsoft Exchange attack to a Chinese threat group known as APT40. As part of the administration’s campaign to get China to back down, the US Department of Justice announced charges unrelated to the Microsoft Exchange hack against four Chinese individuals, including three Chinese cybersecurity officials. The charges were filed in May but not announced until yesterday. The indicted individuals also allegedly work for APT40, and prosecutors say they worked for the Hainan State Security Department (HSSD) of China’s MSS.
In addition to these condemnations and charges, the NSA, CISA, and FBI released a series of advisories detailing Chinese cyber threat activity and how administrators can best protect against APT40’s threats.
China managed to evade sanctions, but Russia did not
Some cybersecurity experts say the administration stopped short of causing the same level of pain for China that it did for Russia with the imposition of sanctions. For example, Dmitri Alperovitch, chairman of the Silverado Policy Accelerator and co-founder and former CTO of Crowdstrike, said given “that sanctions have already been used against virtually every other rogue cyber nation-state, not using them against China is a glaring oversight.”
White House Press spokesperson Jen Psaki rejected the notion that the administration is softer on China than Russia. During a press briefing, she said, “We are actually elevating and taking steps to not only speak out publicly but certainly take action as it relates to problematic cyber activities from China in a different way. We are not differentiating. One is out of the realm of condemnation, and the other is out of the realm of consequence.”
Addressing the idea that the White House is leery of angering China due to fear of alienating a powerful trading partner, Psaki said, “We’re not holding back. We’re not allowing any economic circumstance or consideration to prevent us from taking actions where warranted. We reserve the option to take additional actions where warranted as well.”
Lawmakers approve but say more is needed
Lawmakers approved of the White House’s actions but encouraged the administration to do more. For example, Senate Intelligence Committee Chairman Mark Warner (D-VA) praised the administration but said, “There’s still more work to do to address our cyber vulnerabilities.”
Representative Jim Langevin (D-RI), co-chair of the Congressional Cybersecurity Caucus and chairman of the House Armed Services Committee’s Subcommittee on Cyber, Innovative Technologies, and Information Systems (CITI), said, “Today’s announcement is an impressive demonstration of American diplomatic strength and a poignant reminder that American global leadership has returned after a four-year hiatus. We must continue working in concert with our allies to clearly define what is – and what is not – acceptable behavior in cyberspace.”
China blamed for ransomware attacks, too
One new idea to emerge from the administration’s efforts is that the Chinese state is directly responsible for damaging ransomware attacks. Previously, the US has acknowledged that some Chinese state workers might moonlight as ransomware hackers, but it has not tied those attacks directly to the Chinese government until now.
In its statement, the White House said that in some cases, “We are aware that PRC government-affiliated cyber operators have conducted ransomware operations against private companies that have included ransom demands of millions of dollars.”
Secretary Blinken said in his statement, “The PRC’s Ministry of State Security (MSS) has fostered an ecosystem of criminal contract hackers who carry out both state-sponsored activities and cybercrime for their own financial gain.” Many, if not most, cybersecurity professionals would not think of China as a player in state-sponsored ransomware attacks.
However, cybersecurity firm Profero issued a report in January linking ransomware attacks to Chinese threat groups APT27 and Winnti. Profero CEO Omri Segev Moyal said then that his company’s research tells the story of how the “thin line between nation-states and cybercrime was crossed.”
“As our public report about APT27 states, we believe that Chinese APT groups closely related to their intelligence units were involved in ransomware attacks,” Moyal tells CSO. “This says a lot.” Moyal welcomes Biden’s efforts to constrain China’s hacks and attacks. “I think we are in a situation where the economic impact of ransomware and APT espionage have reached such a critical level it can no longer be ignored,” he says. “I think it’s a great initiative by the Biden administration in taking a global stand against state-sponsored attacks.”