Biden Administration to Blame Hackers Tied to China for Microsoft Cyberattack Spree

The U.S. government has “high confidence” that hackers tied to the Ministry of State Security, or MSS, carried out the unusually indiscriminate hack of Microsoft Exchange Server software that emerged in March, one of the officials said. The official said that U.S. allies are also expected to join in the attribution of the hacking activity, which rendered an estimated hundreds of thousands of mostly small businesses and organizations vulnerable to cyber intrusion.

The announcement is the most significant action from the Biden administration to date concerning China’s yearslong campaign of cyberattacks against the U.S. government and American companies, often involving routine nation-state espionage and the theft of valuable intellectual property such as naval technology and coronavirus-vaccine data.

The Justice Department made public Monday a grand jury indictment from May that charged four Chinese nationals and residents working with the Ministry of State Security engaged in a hacking campaign from 2011 to 2018 intended to benefit China’s companies and commercial sectors by stealing intellectual property and business information. The indictment didn’t appear directly related to the Microsoft Exchange Server hack.

Attributing the Microsoft hack to China will be part of a broader global censure of Beijing’s cyberattacks by the U.S., the European Union, the U.K., Canada, Australia, New Zealand, Japan and the North Atlantic Treaty Organization, or NATO. They will accuse the MSS of using criminal contractors to “conduct unsanctioned cyber operations globally, including for their own personal profit,” such as cyber-enabled extortion and theft, the official said.

U.S. authorities have accused China of widespread hacking targeting American businesses and government agencies for years. China has historically denied the allegations.

The Exchange Server hack was disclosed by Microsoft in March alongside a software patch to fix the bugs being exploited in the attack. Microsoft at the time identified the culprits as a Chinese cyber-espionage group with state ties that it refers to as Hafnium, an assessment that was supported by other cybersecurity researchers. The Biden administration hadn’t offered attribution until now, and is essentially agreeing with the conclusions of the private sector and providing a more detailed identification.

The attack on the Exchange Server systems began slowly and stealthily in early January by hackers who in the past had targeted infectious-disease researchers, law firms and universities, according to cybersecurity officials and analysts. But the operational tempo appeared to intensify as other China-linked hacking groups became involved, infecting thousands of servers as Microsoft worked to send its customers a software patch in early March.

Also on Monday, the National Security Agency, Federal Bureau of Investigation and Cybersecurity and Infrastructure Security Agency will jointly publish technical details of more than 50 tactics and techniques favored by hackers linked to the Chinese government, the official said. The release of such lists is common when the U.S. exposes or highlights malicious hacking campaigns and is intended to help businesses and critical infrastructure operators better protect their computer systems.

Cybersecurity experts have been pressing the Biden administration for months to respond to China’s alleged involvement in the Microsoft email hack. Cybersecurity expert

Dmitri Alperovitch,

with the Silverado Policy Accelerator think tank, said the coordinated global condemnation of China was a welcome and overdue development.

“The Microsoft Exchange hacks by MSS contractors is the most reckless cyber operation we have yet seen from the Chinese actors—much more dangerous than the Russian

SolarWinds

hacks,” said Mr. Alperovitch, referring to the widespread cyber-espionage campaign detected last December that, along with other alleged activities, prompted a suite of punitive measures against Moscow.

Mr. Alperovitch criticized the lack of any sanctions or other responses beyond public statements being levied against China and said it raised questions about why Beijing appeared to be evading harsher penalties, especially compared with those slapped on Russia.

“Failure to sanction any PRC-affiliated actors has been one of the most prolific and baffling failures of our China policy that has transcended administrations,” Mr. Alperovitch said, referring to the People’s Republic of China. Monday’s public shaming without further punishment “looks like a double standard compared with actions against Russian actors. We treat China with kid gloves.”

The senior administration official said the Biden administration was aware that no single action was capable of changing the Chinese government’s malicious cyber behavior, and that the focus was on bringing countries together in a unified stance against Beijing. The list of nations condemning China on Monday was “unprecedented,” the official said, noting it was the first time NATO itself had specifically done so.

“We’ve made clear that we’ll continue to take actions to protect the American people from malicious cyber activity, no matter who’s responsible,” the official said. “And we’re not ruling out further actions to hold the PRC accountable.”

Write to Dustin Volz at [email protected]