U.S. Government Blames China For Microsoft Exchange Hack

‘Given that sanctions have already been used against virtually every other rogue cyber nation state, not using them against China is a glaring oversight,’ says Dmitri Alperovitch on the U.S. government response.

The Biden administration has formally accused hackers affiliated with China’s Ministry of State Security (MSS) of exploiting Microsoft Exchange Server vulnerabilities in a massive cyberattack.

The United States government teamed up with the European Union, the United Kingdom and NATO to condemn China’s malicious cyber activities, which include ransomware operations against private companies with multi-million-dollar ransom demands. But unlike what Russia faced following the SolarWinds attack, the U.S. stopped short of issuing any sanctions or formal punishment against China.

“No one action can change China’s behavior in cyberspace and neither can just one country acting on its own,” a senior Biden administration official said during a background press call. “We really focused initially in bringing other countries along with us … And we’re not ruling out further actions to hold the PRC [People’s Republic of China] accountable.”

[Related: Microsoft Exchange Server Attacked By Chinese Hackers]

The next step needs to include imposing sanctions on Chinese actors for their unconstrained and untargeted hacking of Microsoft Exchange servers, said Dmitry Alperovitch, co-founder and former CTO of CrowdStrike. “Given that sanctions have already been used against virtually every other rogue cyber nation state, not using them against China is a glaring oversight,” Alperovitch wrote on Twitter Monday.

Microsoft back in March attributed the attack against on-premises versions of Exchange Server to Hafnium, a Chinese state-sponsored hacking group. Chinese hackers exploited the Microsoft Exchange vulnerabilities to compromise tens of thousands of computers and networks worldwide, resulting in significant remediation costs for its mostly private sector victims, according to the Biden administration.

“Attributions like these will help the international community ensure those behind indiscriminate attacks are held accountable,” Tom Burt, Microsoft’s Corporate Vice President of Customer Security and Trust, said in a statement. “The governments involved in this attribution have taken an important and positive step that will contribute to our collective security.”

China’s MSS uses criminal contract hackers to carry out cyber-enabled extortion, crypto-jacking, and theft from victims around the world for financial gain, according to the Biden administration official. Individuals affiliated with the MSS also made a large ransom demand of an American company, the official said.

“Responsible states do not indiscriminately compromise global network security nor knowingly harbor cyber criminals – let alone sponsor or collaborate with them,” Secretary of State Antony Blinken said in a statement. “These contract hackers cost governments and businesses billions of dollars in stolen intellectual property, ransom payments, and cybersecurity mitigation efforts.”

As part of the coordinated announcement, the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI) revealed more than 50 tactics, techniques, and procedures Chinese state-sponsored cyber actors used when targeting U.S. and allied networks.

Chinese state-sponsored cyber activity targets the U.S. political, economic, military, educational and critical infrastructure personnel and organizations, according to Monday’s joint cybersecurity advisory. Cyber actors affiliated with China have in the past several years attempted to obtain and transfer sensitive U.S. software and technology to China, according to CISA.

Chinese threat actors attempt to mask their activities by using a revolving series of virtual private servers (VPSs) and common open-source or commercial penetration tools, according to the advisory. The cyber actors use VPS as an encrypted proxy as well as small office and home office (SOHO) devices as operational nodes to evade detection, the advisory found.

They consistently scan target networks for critical and high vulnerabilities within days of the flaw’s public disclosure, the advisory stated. In many cases, CISA said Chinese cyber actors seek to exploit vulnerabilities in major applications such as Pulse Secure, Apache, F5, Big-IP and Microsoft products.

To defend against Chinese state-sponsored cyber actors, federal authorities urge businesses to patch critical and high vulnerabilities that allow for remote code execution or denial-of-service on externally facing equipment. Organizations should also review network signatures and indicators for focused activities, monitor for new phishing themes, and adjust email rules accordingly, the advisory stated.

Companies should follow best practices around restricting attachments via email and blocking URLs and domains based upon reputation, according to the advisory. Finally, authorities urged businesses to implement anti-virus software and other endpoint protection capabilities to automatically detect and prevent malicious files from executing.

“The U.S. Intelligence Community assessed that the PRC presents a prolific and effective cyber-espionage threat, possesses substantial cyberattack capabilities, and presents a growing influence threat,” CISA wrote Monday. “[It] leverages cyber operations to assert its political and economic development objectives.”