The Biden administration and U.S. allies on Monday blamed the Chinese government for a sprawling web of cyberattacks, including a blizzard of hacks into Microsoft email servers in March and intrusions for which Beijing partnered with cyber criminals.
The announcement by the U.S., the European Union, NATO and five close allies comes as the Biden administration attempts to establish a global consensus on limitations around cyberattacks, including discouraging hacks of critical infrastructure and breaches of businesses designed to extort money or steal trade secrets.
In a separate action, the Justice Department charged four Chinese nationals, three of them government agents, with engaging in a long-running hacking campaign aimed at stealing Ebola vaccine research, autonomous vehicle technology and other intellectual property from dozens of companies in the U.S. and other countries.
That operation involved creative means of exfiltrating stolen data, including by hiding it in a photo of then-President Donald Trump through a process called steganography.
Monday’s statements underscore how China’s aggressive digital army continues to wreak havoc while public attention largely focuses on the cyber threat from Russia.
Intelligence officials have concluded that China’s Ministry of State Security “uses criminal contract hackers to conduct unsanctioned cyber operations globally, including for their own personal profit,” a senior administration official told reporters on Sunday.
In some cases, the official said, Chinese hackers planted software on victims’ computers that silently generated units of cryptocurrency, a process known as mining. In other cases, cyber criminals working for Beijing have infected businesses with ransomware and demanded multimillion-dollar ransom payments, according to the official, who spoke anonymously per U.S. government policy.
Perhaps the most significant attack being attributed to Beijing is the massive series of intrusions into Microsoft Exchange servers that the tech giant disclosed in March. Those attacks, which exploited previously unknown digital flaws, breached tens of thousands of servers belonging to businesses and local governments and exposed them to a feeding frenzy of follow-up hacks by other groups.
The Biden administration has “high confidence” that Chinese cyber criminals hacked the Exchange servers “with the Ministry of State Security’s knowledge,” the senior administration official said.
The official described China’s “pattern of irresponsible behavior in cyberspace” as “inconsistent with its stated objectives of being seen as a responsible leader in the world.”
Chinese cyberattacks usually focus on stealing intellectual property from Western businesses so that Chinese companies can analyze and copy it. But the Ministry of State Security’s partnerships with profit-minded criminals may reflect a new strategy for Beijing.
“The use of criminal contract hackers … was really eye-opening and surprising for us,” the senior administration official told reporters.
The ransomware attacks conducted by Chinese government-affiliated hackers — one of which the official said involved “a large ransom request made to an American company” — also surprised the Biden administration.
The newly unsealed indictment, meanwhile, highlights Beijing’s more traditional focus on trade-secrets theft. It charges three officers of the the State Security Department in Hainan province and one employee of a front company that the department established to obscure its role.
The department's officers coordinated with criminal hackers and university professors to breach companies in a wide variety of industries, including health care, defense, aviation and pharmaceuticals, between 2011 and 2018, according to the indictment. One university in Hainan allegedly helped manage the front company by supplying a mailing address and managing its payroll.
Some of the hacks were aimed at stealing information that could help Chinese state-owned companies win contracts in the victim countries, prosecutors said.
“China continues to use cyber-enabled attacks to steal what other countries make, in flagrant disregard of its bilateral and multilateral commitments,” Deputy Attorney General Lisa Monaco said in a statement.
As part of Monday’s announcements, the FBI, the NSA and DHS’ Cybersecurity and Infrastructure Security Agency released a report exposing more than 50 tactics and techniques associated with Chinese government hackers, as well as a report focused on the hacking team at the center of the new indictment, which is known as APT40.
The senior administration official said the government-wide cyber upgrades mandated in a recent executive order from President Joe Biden would thwart many of these common attack methods.
Monday’s multilateral condemnation of Chinese hacking is meant to showcase the U.S.’ ability to recruit like-minded countries to declare certain behavior beyond the pale.
The U.K., Australia, Canada, New Zealand and Japan joined the Biden administration in criticizing China for its attacks, with more countries expected to sign on in the coming weeks. NATO’s participation marks the first time that it has called out the Chinese government in this way.
The breadth of the condemnations reflects “the degree to which countries increasingly recognize that there’s power in collective defense,” the senior administration official said.
But it remains unclear how even multilateral denunciations will alter the calculus for Beijing, which has found cyberattacks to be a potent tool for gathering intelligence, supporting its domestic industry and destabilizing foreign rivals.
The senior administration official described Monday’s announcement as part of a broader campaign, saying “no one action can change China's behavior in cyberspace, and neither can just one country acting on its own.”
In the four and a half months since Microsoft revealed the Exchange hacks, some cyber experts have wondered why it was taking the U.S. so long to blame China, as private security experts quickly did. The senior administration official attributed the delay to the scope of the intrusions, the desire to fully understand China's role and the need to recruit allies for a joint announcement.