The Chinese Ministry of State Security intelligence service was behind a major international cyberattack this year involving tens of thousands of computers penetrated through security flaws in Microsoft software, the White House charged Monday in coordination with a group of major U.S. allies.
Beijing also is employing contract Chinese hackers to carry out ransomware attacks in financial crime schemes, said a statement kicking off a major publicity campaign targeting what U.S. officials say are extensive Chinese state-linked hacking operations around the globe.
“Today, the United States and our allies and partners are exposing further details of the PRC’s pattern of malicious cyber activity and taking further action to counter it, as it poses a major threat to U.S. and allies’ economic and national security,” the statement said about the People’s Republic of China.
The Justice Department indicted four Chinese nationals, three of them MSS officials, on charges related to a separate global cybercampaign targeting dozens of companies in a search for sensitive business information, including infectious disease research.
“The United States is deeply concerned that the PRC has fostered an intelligence enterprise that includes contract hackers who also conduct unsanctioned cyber operations worldwide, including for their own personal profit,” the White House said.
Allies around the world — including Britain, Japan, Australia, New Zealand, the European Union and NATO — were issuing coordinated statements sharply critical of Chinese hacking operations Monday morning.
The American statement said the U.S. government linked the MSS “with a high degree of confidence” to the use of a security flaw to attack computers running Microsoft Exchange Server software that was disclosed in early March.
The software has since been patched, but the attack affected tens of thousands of computers.
“The United States and countries around the world are holding the People’s Republic of China (PRC) accountable for its pattern of irresponsible, disruptive, and destabilizing behavior in cyberspace, which poses a major threat to our economic and national security,” Secretary of State Antony Blinken said.
“The PRC’s Ministry of State Security (MSS) has fostered an ecosystem of criminal contract hackers who carry out both state-sponsored activities and cybercrime for their own financial gain.”
China‘s cyberattack amounted to “a reckless but familiar pattern of behavior,” British Foreign Secretary Dominic Raab said in a parallel statement released in London.
Beijing must “end this systematic cyber-sabotage,” Mr. Raab warned, and it “can expect to be held to account if it does not.”
The NATO alliance also condemned malicious cyberattacks but limited direct criticism of China for its role in the activities. In a statement, NATO noted that allied identification of China was behind the Microsoft server attacks.
“We call on all states, including China, to uphold their international commitments and obligations and to act responsibly in the international system, including in cyberspace,” the alliance said.
In Tokyo, the Japanese government voiced “deep concern” over Chinese government cyberattacks by a group called APT40.
“Japan also assesses that it is highly likely that the Chinese government is behind APT40 and has been paying close attention with deep concern to these attacks by APT40 and others which threaten the security of cyberspace,” the government said in a statement.
The statement noted that a Chinese military hacking group had been linked to cyberattacks on Japanese companies.
“Malicious cyber activities that could potentially undermine the foundation of democracy embodied by free, fair and secure cyberspace cannot be condoned,” the statement said.
The European Union said in a statement that “the EU and its member states strongly denounce these malicious cyber activities.”
“The EU and its member states assess these malicious cyber activities to have been undertaken from the territory of China,” the statement said.
Liu Pengyu, a Chinese Embassy spokesman, said the U.S. charges are “groundless attacks and [a] malicious smear against China on cybersecurity.”
“Now this is just another old trick, with nothing new in it,” he said in a statement. “The Chinese government and relevant personnel never engage in cyberattacks or cyber theft.”
“We urge the US to immediately stop its ‘empire of hacker’ campaign and stop illegally damaging other countries’ interests and security,” Mr. Liu said.
A senior Biden administration official said on background that Beijing’s apparent use of contractors for criminal ransomware hacking, was “really eye-opening and surprising for us.”
“MSS is using, knowledgeably, criminal contract hackers to conduct unsanctioned cyberoperations globally,” the official said in a briefing for reporters Sunday night. “That is very much with the Ministry of State Security’s knowledge.”
The cyberattacks that exploited a security flaw in Microsoft Service Exchange software also were significant and were “very eye-opening to us as well,” the official said.
“We will show how the … Ministry of State Security uses criminal contract hackers to conduct unsanctioned cyberoperations globally, including for their own personal profit,” the senior official said. “Their operations include criminal activities, such as cyber-enabled extortion, crypto-jacking, and theft from victims around the world for financial gain.”
Some ransom attacks — breaking into networks, encrypting data and demanding payment in order to release the data — involved Chinese government hackers in attacks on private companies that netted millions of dollars, the official said.
But links to ransomware strikes by groups affiliated with Chinese intelligence are relatively new.
Cybersecurity analysts say most Chinese cyberoperations, including the Microsoft Exchange Server attacks, involve theft of data that is used as part of the Chinese government’s database collection for both secrets and proprietary economic data.
“This was surprising to us,” the senior official said of the MSS link to criminal ransomware, noting that the intelligence provides “new insights on the MSS‘s work and on the kind of aggressive behavior that we’re seeing coming out of China.”
Three U.S. security agencies are issuing a 31-page report listing extensive technical measures used by Chinese state-sponsored hackers to break into computer networks. The report by the National Security Agency, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, and the FBI lists 44 types of technical attacks by Chinese hackers and how to counter them.
“Chinese state-sponsored cyber actors aggressively target U.S. and allied political, economic, military, educational and critical infrastructure (CI) personnel and organizations to steal sensitive data, critical and emerging key technologies, intellectual property, and personally identifiable information (PII),” the agencies said.
Targeted sectors include “managed service providers, semiconductor companies, the defense industrial base (DIB), universities and medical institutions. These cyber operations support China’s long-term economic and military development objectives.”
The senior administration official said security agencies have “high confidence” that the Microsoft attack involved MSS hackers’ exploitation of software flaws called “zero days.”
“We’ve raised our concerns about both the Microsoft incident and the PRC’s broader malicious cyber activity with senior PRC government officials, making clear that the PRC’s actions threaten security, confidence and stability in cyberspace,” the official said. “The U.S. and our allies and partners are not ruling out further actions to hold the PRC accountable.”
A person familiar with the Microsoft Exchange Server hack, which began around January and continued through the spring, said a major American university and a large law firm were among the targets. The main objective of the Chinese attack was to gain access to thousands of computer networks for the information contained in the networks.
After the data was exfiltrated, China appears to have shared the security flaws used in penetrating the systems with criminal hackers that in some cases launched ransomware attacks, the person said.
Chinese hacking operations have involved large-scale theft of private and government secrets and theft of sensitive personal data.
For example, federal prosecutors linked China’s military to cyberattacks against Boeing that resulted in the theft of secrets related to the C-17 military transport and F-22 and F-35 jets worth billions of dollars.
One of China’s most damaging alleged operations involved cyberattacks against the Office of Personnel Management that were uncovered in 2015. The theft included sensitive information on federal workers who hold security clearances and are valuable in conducting counterintelligence operations.
The effort to enlist the support of U.S. allies in exposing Chinese hacking operations is part of the Biden administration’s push to avoid taking unilateral action.
“Our allies and partners are a tremendous source of strength and a unique American advantage, and our collective approach to cyber threat information sharing, defense,” the senior official said.
By joining allies, the administration hopes to increase information-sharing on cyberthreats and network defenses.
NATO’s criticism of the Chinese cyberactivities is the first time the alliance has raised the matter publicly.
The U.S. government announced in April that it conducted cyberoperations and pursued proactive network defense actions to prevent systems compromised through the Exchange Server vulnerabilities from being used for ransomware attacks or other malicious purposes.
The senior official was asked why the administration had not taken the same kind of punitive action announced in April against Russia for its role in the SolarWinds cyberattack.
“We’re not ruling out further actions to hold the PRC accountable,” the official said.
In April, the Treasury Department sanctioned 32 Russian banks and technology companies and people for their involvement in SolarWinds cyberattacks.