China Spies Were Behind Massive Microsoft Hack That Hit Tens of Thousands of American Companies, Says U.S.
The Biden administration and several allies plan to allege Monday morning that China’s civilian intelligence service is responsible for a sweeping hacking campaign that hit tens of thousands of companies around the world earlier this year.
According to a senior Biden administration official, hackers affiliated with China’s Ministry of State Security (MSS) conducted the massive operation, which took advantage of security flaws in Microsoft Exchange Server software, or Microsoft’s email software. The attack was so widespread that the White House National Security Council at the time whipped up an emergency response group to address the offensive.
The U.S. and allies plan to lay out how the MSS has been hiring criminal hackers on a contractual basis to conduct Beijing’s hacking operations, according to the official.
“MSS is using, knowledgeably, criminal contract hackers to conduct unsanctioned cyber operations globally,” the senior administration official said during a call on Sunday.
The National Security Agency, FBI, and the Department of Homeland Security’s cybersecurity agency (CISA) have spent months warning organizations about the Microsoft Exchange Server hacking, but this is the first time the U.S. government is formally attributing the campaign to the Chinese government. Microsoft security researchers had previously attributed the operation to actors operating in China, but did not detail a link with the MSS.
The European Union, NATO, Japan, and members of the Five Eyes intelligence-sharing alliance—the U.K., Australia, Canada, and New Zealand—will also be criticizing MSS’s hacking Monday, according to the official. It’s the first time NATO is publicly attributing this kind of activity to China.
The U.S. and allies also plan to allege the contracted hackers working for MSS have been running hacking campaigns for their own personal profit on the side. Some of the intelligence agency’s hackers are running ransomware operations, the official said. In one case the hackers have targeted an American firm and made a ransom demand worth millions of dollars.
The U.S. Department of Justice announced Monday that a federal grand jury in May had charged four Chinese nationals and residents for coordinating a hacking campaign on behalf of the MSS targeting victims in the U.S. and abroad between 2011 and 2018. It was unclear if other charges related to the MSS were forthcoming.
The U.S. intelligence community has long observed hackers with connections to the Russian or Iranian government working for personal gain. But the MSS appears to have put a twist on the usual playbook of hackers working dual roles, the administration official said.
“On the Russian side… we sometimes see individuals moonlighting. And we see… some connections between Russian intelligence services and individuals,” the official said. “But… the MSS use of criminal contract hackers to conduct unsanctioned cyber operations globally is distinct.”
Contract hackers have long been the bread and butter of the MSS, according to a mysterious, anonymous group known as Intrusion Truth, which has been publishing investigations on a blog dedicated to exposing what it says are hackers working for the MSS through front companies and contracts. Other researchers, including those at cybersecurity firm FireEye, have previously said that some hackers affiliated with the Chinese government appear to run financially-focused hacking operations for their own personal gain.
China’s embassy in the U.S. did not immediately return a request for comment.
The administration’s decision to highlight China’s role in the recent spate of hacking comes just as the U.S. government is grappling with a wave of cyberattacks that Russian-speaking cybercriminals and Russian government-linked hackers have also launched against American companies in recent months. The onslaught of attacks has left the Biden administration scrambling to thwart Russian hacking campaigns and get Russian President Vladimir Putin to punish hackers launching attacks from within his country.
And while Putin’s response to Biden’s entreaties on ransomware hacking has been lackluster by some measures—the Kremlin says they haven’t received requests from U.S. agencies to hold hackers to account, a statement the Biden administration disputes—the U.S. government has taken swift action to hold Russia’s feet to the fire in recent months. The administration expelled 10 Russian diplomats and applied sanctions to a score of individuals and companies following a hacking operation the U.S. government says Russia’s Foreign Intelligence Service (SVR) launched against U.S. companies and several federal agencies.
But if the administration’s response to the Russian hacking has been quick and somewhat comprehensive, the administration’s response to the Chinese hacking might appear to lack heft.
Chinese hackers’ approach to the Microsoft Exchange Server hacking was anything but strategic, and instead was indiscriminate and brazen, says Allison Nixon, who worked with companies vulnerable to the Chinese hacking operation.
“It seemed like they didn't care whether victim machines belonged to a strategic target or rival nation,” Nixon, chief research officer at cybersecurity consulting firm Unit 221B, told The Daily Beast.
The Chinese hackers didn’t leave any vulnerable systems unscathed and left companies open to ransomware attacks, according to Nixon.
“They hit the whole vulnerable population,” Nixon said. “When this is increasingly so damaging to civilian systems, wearing people down with this constant onslaught, we have to draw a line somewhere.”
Dmitri Alperovitch, the former CTO of cybersecurity firm CrowdStrike—the firm that attributed the 2016 Democratic National Committee hack to Russian government hackers—told The Daily Beast the U.S. government ought to apply more pressure to the Chinese government.
“Given that sanctions have already been used against virtually every other rogue cyber nation-state, not using them against China is a glaring oversight,” said Alperovitch, now executive chairman at Silverado Policy Accelerator. “The administration deserves credit for the impressive international coalition of abominations against China’s reckless Microsoft Exchange hack and I’m hopeful that the next logical step will include related criminal indictments and the first-ever imposition of sanctions against [the People’s Republic of China] actors for such violations.”
The Biden administration hasn’t ruled out applying more pressure to Beijing, the senior administration official said, noting that U.S. officials have been in touch with senior Chinese government officials to warn them their brazen hacking will have consequences.
“We're not ruling out further actions to hold the PRC accountable,” the official said. “We're also aware that no one action can change the PRC’s behavior… We’ve raised our concerns about both the Microsoft incident and the PRC’s broader malicious cyber activity with senior PRC government officials, making clear that the PRC’s actions threaten security, confidence, and stability in cyberspace.”
Other countries are expected to attribute the activity to Beijing in the coming days, according to the official.
Beijing might be responsive to the U.S., EU, and allied naming and shaming as is, but bringing specific hackers to justice will be crucial to tamping down on this kind of attack moving forward, says Phil Reiner, the chief executive officer of the Institute for Security and Technology.
“The Biden administration continues to prioritize working with international partners to enforce global rules and norms—this is refreshing, and welcome. Making clear with other national leaders that this wanton and dangerous cyber activity won’t be allowed is a powerful tool, but one must wonder if additional actions are still forthcoming—like indictments and or sanctions,” Reiner, who previously served in the Office of the Under Secretary of Defense for Policy in the Pentagon, told The Daily Beast. “International pressure might be considered a powerful tool in the China instance, but we should also be holding those accountable that conducted these attacks.”
Get our top stories in your inbox every day. Sign up now!
Daily Beast Membership: Beast Inside goes deeper on the stories that matter to you. Learn more.
