The U.S. government and its key allies, including the European Union, the U.K., and NATO, formally attributed the massive cyberattack against Microsoft Exchange email servers to state-sponsored hacking crews working affiliated with the People's Republic of China's Ministry of State Security (MSS).
In a statement issued by the White House on Monday, the administration said, "with a high degree of confidence that malicious cyber actors affiliated with PRC's MSS conducted cyber-espionage operations utilizing the zero-day vulnerabilities in Microsoft Exchange Server disclosed in early March 2021. The U.K. government accused Beijing of a "pervasive pattern of hacking" and "systemic cyber sabotage."
The sweeping espionage campaign exploited four previously undiscovered vulnerabilities in Microsoft Exchange software and is believed to have hit at least 30,000 organizations in the U.S. and hundreds of thousands more worldwide. Microsoft identified the group behind the hack as a skilled government-backed actor operating out of China named Hafnium.
Calling it "the most significant and widespread cyber intrusion against the U.K. and allies," the National Cyber Security Centre (NCSC) said the attack was highly likely to enable "acquiring personally identifiable information and intellectual property."
In addition, the MSS was also outed as the party behind a series of malicious cyber activities tracked under the monikers "APT40" and "APT31," with the U.K. attributing the groups for targeting maritime industries and naval defence contractors in the U.S. and Europe, and as well as for executing the attack on the Finnish parliament in 2020.
Also, on Monday, the U.S. Federal Bureau of Investigation (FBI), National Security Agency (NSA), and Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory listing over 50 tactics, techniques, and procedures employed by APT40 and other Chinese state-sponsored cyber actors.
"It has been a few months since attackers exploited the Hafnium related bugs in Exchange to deploy ransomware, like DearCry and Black Kingdom," Mark Loman, director of engineering at Sophos, said in an emailed statement. "In general, to protect themselves, ransomware operators typically operate from the dark web, or via one or more compromised servers hosted in countries other than the physical location of the attackers. This makes attack attribution hard, but not impossible."
US Indicts Members of APT 40 Chinese Hacking Group
In a related development, the U.S. Department of Justice (DoJ) pressed criminal charges against four MSS hackers belonging to the APT40 group concerning a multiyear campaign targeting foreign governments and entities in maritime, aviation, defense, education, and healthcare sectors in the least a dozen countries to facilitate the theft of trade secrets, intellectual property, and high-value information.
Separately, the NCSC also announced that a group known as "APT10" acted on behalf of the MSS to carry out a sustained cyber campaign focused on large-scale service providers with the goal of seeking to gain access to commercial secrets and intellectual property data in Europe, Asia, and the U.S.
"APT 10 has an enduring relationship with the Chinese Ministry of State Security, and operates to meet Chinese State requirements," the intelligence agency said.
In a press statement, the European Union urged Chinese authorities to take action against malicious cyber activities undertaken from its territory, stating the Microsoft Exchange server hacks resulted in security risks and significant economic loss for government institutions and private companies.
The Chinese government has repeatedly denied claims of state-sponsored intrusions. A spokesperson for the Chinese Embassy in Washington, according to the Associated Press, painted China as "a severe victim of the U.S. cyber theft, eavesdropping, and surveillance," noting that the "U.S. has repeatedly made groundless attacks and malicious smear against China on cybersecurity."
"The PRC has fostered an intelligence enterprise that includes contract hackers who also conduct unsanctioned cyber operations worldwide, including for their own personal profit," the White House said, adding "hackers with a history of working for the PRC Ministry of State Security (MSS) have engaged in ransomware attacks, cyber enabled extortion, cryptojacking, and rank theft from victims around the world, all for financial gain."
Update: Speaking at a press conference, Zhao Lijian, a spokesperson for the Chinese Ministry of Foreign Affairs, rejected accusations that Beijing was behind the global cyber hacking campaign targeting Microsoft Exchange servers and accused the U.S. of being the world's largest source of attacks in cyberspace.
"China firmly opposes and combats all forms of cyber attacks. It will never encourage, support or condone cyber attacks. This position has been consistent and clear," Lijian said. "Given the virtual nature of cyberspace and the fact that there are all kinds of online actors who are difficult to trace, it's important to have enough evidence when investigating and identifying cyber-related incidents. It requires extra prudence when linking cyber attacks with the government of any country. The so-called technical details released by the U.S. side do not constitute a complete chain of evidence."