US: Chinese Government Waged Microsoft Exchange AttacksChina's Ministry of State Security Also Accused of Carrying Out Ransomware Attacks
The Biden administration on Monday formally accused a group working for China's Ministry of State Security of carrying out a series of attacks against vulnerable Microsoft Exchange email servers earlier this year that affected thousands of organizations in the U.S. as well as around the world.
On March 4, Microsoft issued emergency patches for four vulnerabilities in certain versions of its on-premises Exchange email server that the company says were exploited by a China-based group its researchers called Hafnium.
Now, the White House says that this attack group worked for China's Ministry of State Security, or MSS, which oversees foreign intelligence and counter-intelligence operations for the country's government. The administration says it has "a high degree of confidence" that attackers associated with MSS conducted the global Exchange campaign.
To bolster the case against China, the National Security Agency, the FBI and the Cybersecurity and Infrastructure Agency released a document describing the tools, techniques and procedures that MSS-affiliated groups have used over the last several years, including a list of vulnerabilities that attackers have exploited.
In recent years, the U.S. has accused MSS and threat groups affiliated or working for the Chinese agency of conducting numerous cyber operations against American organizations and other targets (see: CISA: Chinese Hackers Targeting US Agencies).
"Before Microsoft released its security updates, MSS-affiliated cyber operators exploited these vulnerabilities to compromise tens of thousands of computers and networks worldwide in a massive operation that resulted in significant remediation costs for its mostly private sector victims," according to the White House.
Besides the attacks against on-premises Exchange servers, the White House accused MSS-affiliated groups of carrying out numerous other cyber operations, including ransomware attacks that resulted in millions of dollars in ransoms paid to the attackers.
A senior administration official, who spoke on the condition of anonymity, says that ransomware attacks conducted by MSS-affiliated groups were a surprise to the White House and shows that China is becoming much more aggressive when it comes to carrying out various cyber operations.
"I can't speak to further details of the ransomware attacks, but it literally was what we think about with ransomware: a ransom request - a large ransom request made to an American company," the senior administration official says. "And it really raised concerns for us with regard to the behavior and, frankly, as I noted, with regard to the fact that … individuals affiliated with the MSS conducted it."
While the Biden administration formally accused China's of sanctioning the Exchange attacks, the Justice Department unsealed an indictment accusing four Chinese nationals of conducting a variety of cyber operations against U.S. and other organizations around the world. None of the four individuals listed in the indictment, however, are accused of conducting the Exchange attacks.
No Sanctions Yet
While the White House and other U.S. government agencies accused China's MSS of conducting the Exchange attacks, the Biden administration has not issued formal sanctions or other punishments against the Chinese government.
In April, when the Biden administration formally accused Russia's Foreign Intelligence Service - SVR - of carrying out the attack that targeted SolarWinds, the Treasury Department issued sanctions against the Russian government and more than 30 companies and individuals accused of supplying tools, infrastructure and technologies for various cyber operations or participating in the election-related disinformation campaign (see: US Sanctions Russia Over SolarWinds Attack, Election Meddling).
The senior administration official says the accusation against the MSS, for both the Exchange attacks and the cyber operations, was brought to the attention of China's government before Monday's announcement.
"We've raised our concerns about both the Microsoft incident and the [People's Republic of China's] broader malicious cyber activity with senior PRC government officials, making clear that the PRC's actions threaten security, confidence and stability in cyberspace," the senior administration official says. "The U.S. and our allies and partners are not ruling out further actions to hold the PRC accountable."
And while there were no formal sanctions issued against the Chinese government or the MSS, the Biden administration included the U.K., the European Union and NATO in Monday's announcement to strengthen its case against China and its cyber operations.
"Responsible states do not indiscriminately compromise global network security nor knowingly harbor cybercriminals - let alone sponsor or collaborate with them," says Secretary of State Anthony Blinken. "These contract hackers cost governments and businesses billions of dollars in stolen intellectual property, ransom payments and cybersecurity mitigation efforts, all while the MSS had them on its payroll."
The senior administration official also notes that this is the first time that NATO has condemned China over its malicious cyber activities.
"We acknowledge national statements by allies, such as Canada, the United Kingdom, and the United States, attributing responsibility for the Microsoft Exchange Server compromise to the People's Republic of China," according to the NATO statement.
Will Action Be a Deterrent?
Cybersecurity experts are split on whether the information that the White House released about the role that China's MSS allegedly played in the Exchange attacks would help deter China from conducting cyber offensive activities.
Tom Kellermann, the head of cybersecurity strategy for VMware and a member of the Cyber Investigations Advisory Board for the U.S. Secret Service, says the Biden administration's strong stance on cyber activity by Russia and China is welcome.
"This administration is beginning to take the gloves off with rogue nations who harbor and deploy cyber spies," Kellermann says.
Some others security experts, however, say that the administration needs to take more punitive action against nation-state attackers.
For example, Dmitri Alperovitch, chairman of the Silverado Policy Accelerator and the former CTO of CrowdStrike, took to Twitter Monday to call for more actions against China and groups affiliated with the government.
The next step needs to include imposition of sanctions against PRC actors for such violations. Given that sanctions have already been used against virtually every other rogue cyber nation state, not using them against China is a glaring oversight 3/3— Dmitri Alperovitch (@DAlperovitch) July 19, 2021
While the Biden administration has now accused attackers working for China's MSS of exploiting the flaws in vulnerable versions of on-premises Exchange servers, researchers also found that other advanced persistent threat groups took advantage of these bugs once more information became public (see: Microsoft Exchange: At Least 10 APT Groups Exploiting Flaws).
As part of the response to these attacks, the White House created a Unified Coordination Group to investigate these incidents shortly after they were identified. For the first time, the government allowed a private company - Microsoft - to participate in these discussions over a cybersecurity incident.
Later, Microsoft provided a one-click mitigation tool for customers that were running on-premises versions of Exchange servers to reduce the risk until they could fully implement patches. That mitigation tool helped reduce the number of vulnerable Exchange servers from 140,000 to less than 10,000 in the span of a week, according to Anne Neuberger, the deputy national security adviser for cybersecurity.
As part of the response to both Russian and China cyber activity, President Joe Biden signed an executive order on May 12 to improve U.S. cybersecurity, especially at the federal level.
When announcing the details of the Exchange attacks on Monday, the senior administration official noted that government agencies have made strides toward achieving the goals outlined in the order. For example, the National Institute of Standards and Technology published its definition of "critical software" last month that needs scrutiny when acquired and monitoring when implemented (see: NIST Releases 'Critical Software' Definition for US Agencies).
"We call on private sector companies to follow the federal government’s lead and take ambitious measures to augment and align cybersecurity investments with the goal of minimizing future incidents," the senior administration official says.