China has been recently accused by the UK, US, EU, and NATO of carrying out a major cyber attack earlier this year. The attack targeted Microsoft Exchange servers, a popular email platform used by companies, and at least 30.000 organizations were affected worldwide.
The Chinese Ministry of State Security (MSS) has also been accused of wider espionage activity and “reckless” behavior. In a statement released by the White House this Monday, the administration affirmed that:
“With a high degree of confidence that malicious cyber actors affiliated with PRC’s MSS conducted cyber-espionage operations utilizing the zero-day vulnerabilities in Microsoft Exchange Server disclosed in early March 2021. The U.K. government accused Beijing of a “pervasive pattern of hacking” and “systemic cyber sabotage.”
How did China start the attack?
It all began in January when hackers from a Chinese-linked gang, known as Hafnium, began exploiting a vulnerability in Microsoft Exchange. Apparently, the group used the vulnerability to insert backdoors into systems for returning later to them.
The United Kingdom stated that the attack could lead to large-scale espionage, including acquiring personal information and intellectual property. However, the attack was mainly focused on specific systems consistent with Hafnium’s previous targets, such as defense contractors, think tanks, and universities.
“We believe that cyber-operators working under the control of Chinese intelligence learned about the Microsoft vulnerability in early January, and were racing to exploit the vulnerability before [it] was widely identified in the public domain.”security source to BBC
However, in late February, something changed. The targeted attack became a mass pile-in when other hacker groups from China began to exploit the vulnerability. The targets then have extended to include the key industries and governments globally. Shortly put, it had turned from targeted espionage to a big smash-and-grab raid.
Western security sources believe that Hafnium learned in advance that Microsoft intends to patch or close the vulnerability, so it shares the vulnerability with other Chinese groups to maximize revenue before the vulnerability becomes outdated.
The National Cyber Security Centre (NCSC) referred to the attack as being the most significant and widespread cyber intrusion against the U.K. and its allies”. They also stated that the attack was highly likely to enable “acquiring personally identifiable information and intellectual property.”
In addition, MSS has also been revealed as the party behind a series of malicious cyber activities tracked under the nicknames “APT40” and “APT31”, with the UK assigning the groups for targeting maritime industries and naval defense contractors in the United States. Besides that, UK attributed the groups for executing the attack on the Finnish parliament in the year 2020.
FBI, NSA (National Security Agency), and CISA released this Monday a joint advisory, writing over 50 tactics, techniques, and procedures employed by APT40 and other Chinese cybercriminals sponsored by the state.
Mark Loman, director of engineering at Sophos, said in a statement:
“It has been a few months since attackers exploited the Hafnium-related bugs in Exchange to deploy ransomware, like DearCry and the Black Kingdom. In general, to protect themselves, ransomware operators typically operate from the dark web or via one or more compromised servers hosted in countries other than the physical location of the attackers. This makes attack attribution hard, but not impossible.”
China response to the accusations
The Chinese government has repeatedly denied claims of the attack. However, according to the Associated Press, a spokesperson for the Chinese Embassy in Washington said that China is “a severe victim of the U.S. cyber theft, eavesdropping, and surveillance,” adding that “The U.S. has repeatedly made groundless attacks and malicious smear against China on cybersecurity.”
Zhao Lijian, a spokesperson for the Chinese Ministry of Foreign Affairs, rejected accusations that Beijing was behind the global cyber hacking campaign targeting Microsoft Exchange servers and also accused the U.S of being the world’s biggest source of cyberattacks.
“China firmly opposes and combats all forms of cyberattacks. It will never encourage, support, or condone cyberattacks. This position has been consistent and clear. Given the virtual nature of cyberspace and the fact that there are all kinds of online actors who are difficult to trace, it’s important to have enough evidence when investigating and identifying cyber-related incidents. It requires extra prudence when linking cyberattacks with the government of any country. The so-called technical details released by the U.S. side do not constitute a complete chain of evidence.”
The US Department of Justice has announced criminal charges against four MSS hackers, claiming that this is related to long-term activities against foreign governments and entities in key sectors in at least a dozen countries.
Ultimately, Western security sources believe that MSS is behind all the activities disclosed and hope that coordinated international actions will pressure their activities.