U.S. Blames Hackers Tied to China for Microsoft Cyberattack Spree

The U.S. government has “high confidence” that hackers tied to the Ministry of State Security, or MSS, carried out the unusually indiscriminate hack of Microsoft Exchange Server software that emerged in March, senior officials said.

“The United States and countries around the world are holding the People’s Republic of China (PRC) accountable for its pattern of irresponsible, disruptive, and destabilizing behavior in cyberspace, which poses a major threat to our economic and national security,” Secretary of State Antony Blinken said. The MSS, he added, had “fostered an ecosystem of criminal contract hackers who carry out both state-sponsored activities and cybercrime for their own financial gain.”

The U.K. and European Union joined in the attribution of the hacking activity, which rendered an estimated hundreds of thousands of mostly small businesses and organizations vulnerable to cyber intrusion.

The U.S.-led announcement is the most significant action from the Biden administration to date concerning China’s yearslong campaign of cyberattacks against the U.S. government and American companies, often involving routine nation-state espionage and the theft of valuable intellectual property such as naval technology and coronavirus-vaccine data.

The Justice Department made public Monday a grand jury indictment from May that charged four Chinese nationals and residents working with the Ministry of State Security of being engaged in a hacking campaign from 2011 to 2018 intended to benefit China’s companies and commercial sectors by stealing intellectual property and business information. The indictment didn’t appear directly related to the Microsoft Exchange Server breach, but accused the hackers of stealing information from companies and universities about Ebola virus research and other topics to benefit the Chinese government and Chinese companies.

Attributing the Microsoft hack to China will be part of a broader global censure of Beijing’s cyberattacks by the U.S., the European Union, the U.K., Canada, Australia, New Zealand, Japan and the North Atlantic Treaty Organization, or NATO. They will accuse the MSS of using criminal contractors to “conduct unsanctioned cyber operations globally, including for their own personal profit,” such as cyber-enabled extortion and theft, the official said.

U.S. authorities have accused China of widespread hacking targeting American businesses and government agencies for years. China has historically denied the allegations. A spokesman for the Chinese Embassy in Washington didn’t immediately respond to a request for comment.

The Exchange Server hack was disclosed by Microsoft in March alongside a software patch to fix the bugs being exploited in the attack. Microsoft at the time identified the culprits as a Chinese cyber-espionage group with state ties that it refers to as Hafnium, an assessment that was supported by other cybersecurity researchers. The Biden administration hadn’t offered attribution until now, and is essentially agreeing with the conclusions of the private sector and providing a more detailed identification.

The attack on the Exchange Server systems began slowly and stealthily in early January by hackers who in the past had targeted infectious-disease researchers, law firms and universities, according to cybersecurity officials and analysts. But the operational tempo appeared to intensify as other China-linked hacking groups became involved, infecting thousands of servers as Microsoft worked to send its customers a software patch in early March.

Also on Monday, the National Security Agency, Federal Bureau of Investigation and Cybersecurity and Infrastructure Security Agency jointly published technical details of more than 50 tactics and techniques favored by hackers linked to the Chinese government, the official said. The release of such lists is common when the U.S. exposes or highlights malicious hacking campaigns and is intended to help businesses and critical infrastructure operators better protect their computer systems.

Cybersecurity experts have been pressing the Biden administration for months to respond to China’s alleged involvement in the Microsoft email hack. Cybersecurity expert Dmitri Alperovitch, with the Silverado Policy Accelerator think tank, said the coordinated global condemnation of China was a welcome and overdue development.

“The Microsoft Exchange hacks by MSS contractors is the most reckless cyber operation we have yet seen from the Chinese actors—much more dangerous than the Russian SolarWinds hacks,” said Mr. Alperovitch, referring to the widespread cyber-espionage campaign detected last December that, along with other alleged activities, prompted a suite of punitive measures against Moscow.

Mr. Alperovitch criticized the lack of any sanctions being levied against China and said it raised questions about why Beijing appeared to be evading harsher penalties, especially compared with those slapped on Russia.

“Failure to sanction any PRC-affiliated actors has been one of the most prolific and baffling failures of our China policy that has transcended administrations,” Mr. Alperovitch said, referring to the People’s Republic of China. Monday’s public shaming without further punishment “looks like a double standard compared with actions against Russian actors. We treat China with kid gloves.”

The senior administration official said the Biden administration was aware that no single action was capable of changing the Chinese government’s malicious cyber behavior, and that the focus was on bringing countries together in a unified stance against Beijing. The list of nations condemning China on Monday was “unprecedented,” the official said, noting it was the first time NATO itself had specifically done so.

“We’ve made clear that we’ll continue to take actions to protect the American people from malicious cyber activity, no matter who’s responsible,” the official said. “And we’re not ruling out further actions to hold the PRC accountable.”

The new indictment said that members of a provincial branch of China’s intelligence service in the southern Hainan Province created a front company that described itself as an information security company and directed its employees to hack dozens of victims in the U.S., Austria, Cambodia and several other countries.

The defendants, three of whom are described as intelligence officers, aren’t in U.S. custody. Some cybersecurity experts have said indictments against foreign state-backed hackers often have little impact, because the accused are rarely brought before an American courtroom. U.S. officials have defended the practice, saying it helps convince allied governments, the private sector and others about the scope of the problem.

The group is accused of hacking into dozens of schools, companies, and government agencies around the world, ranging from a research facility in California and Florida focused on virus treatments and vaccines, to a Swiss chemicals company that produces maritime paints, to a Pennsylvania university with a robotics engineering program and the National Institutes of Health, to two Saudi Arabian government ministries. The companies and universities aren’t named in the indictment.

The hackers allegedly used fake spear-phishing emails and stored stolen data on GitHub, the indictment said. They coordinated with professors at a Chinese university, including to identify and recruit hackers for their campaign, it said. The alleged NIH breach dates to August 2013, the indictment said.

Write to Dustin Volz at [email protected] and Aruna Viswanatha at [email protected]