The United States and its allies blamed China’s Ministry of State Security for the massive hack against Microsoft this year, with the Justice Department also charging members of the Chinese intelligence agency over a separate global espionage campaign.
The U.S. did not implement sanctions against China like it did against Russian intelligence hackers earlier this year.
“The PRC’s Ministry of State Security has fostered an ecosystem of criminal contract hackers who carry out both state-sponsored activities and cybercrime for their own financial gain,” Secretary of State Antony Blinken said Monday. “In addition, the United States government, alongside our allies and partners, has formally confirmed that cyber actors affiliated with the MSS exploited vulnerabilities in Microsoft Exchange Server in a massive cyber espionage operation that indiscriminately compromised thousands of computers and networks, mostly belonging to private sector victims.”
China’s MSS is tasked with managing the government’s intelligence efforts, its internal security, and its secret police, and the White House repeatedly called out the MSS on Monday.
“Hackers with a history of working for the PRC Ministry of State Security have engaged in ransomware attacks, cyber enabled extortion, crypto-jacking, and rank theft from victims around the world, all for financial gain … In some cases, we are aware that PRC government-affiliated cyber operators have conducted ransomware operations against private companies that have included ransom demands of millions of dollars,” the White House said, adding it was “attributing with a high degree of confidence that malicious cyber actors affiliated with PRC’s MSS conducted cyber espionage operations utilizing the zero-day vulnerabilities in Microsoft Exchange Server disclosed in early March 2021” and that “MSS-affiliated cyber operators exploited these vulnerabilities to compromise tens of thousands of computers and networks worldwide in a massive operation that resulted in significant remediation costs for its mostly private sector victims.”
The White House said it had raised its concerns about “the PRC’s broader malicious cyber activity” with senior Chinese officials.
When asked on Monday why the U.S. had not sanctioned China, President Joe Biden replied, “They’re still determining exactly what happened.”
When pressed on the difference between Chinese and Russian hacking, Biden gave a muddled response.
“I’m getting a report tomorrow morning on this, a detailed report — my understanding is that the Chinese government, not unlike the Russian government, is not doing this themselves but are protecting those who are doing it, and maybe even accommodating them being able to do it. That may be the difference.”
White House press secretary Jen Psaki was asked about this on Monday.
“Today, an unprecedented group of allies and partners, including the European Union, the United Kingdom, Australia, Canada, New Zealand, Japan, and NATO, are joining the United States in exposing and criticizing the PRC’s Ministry of State Security’s malicious cyber activities,” Psaki said. “So, I would note that we are actually elevating and taking steps to not only speak up publicly but certainly take action as it relates to problematic cyber activities from China, in a different way, but as we have from Russia as well. We are not differentiating one as out of the realm of condemnation or out of the realm of consequence from the United States.”
The DOJ announced Monday that a federal grand jury in May indicted four members of China’s Hainan State Security Department for a massive hacking campaign targeting dozens of victim companies between 2011 and 2018, with the DOJ saying the conspirators “sought to obfuscate the Chinese government’s role in such theft by establishing a front company, Hainan Xiandun.”
The DOJ said that the “targeted industries included, among others, aviation, defense, education, government, health care, biopharmaceutical and maritime” and that “stolen trade secrets and confidential business information included, among other things, sensitive technologies used for submersibles and autonomous vehicles, specialty chemical formulas, commercial aircraft servicing, proprietary genetic-sequencing technology and data, and foreign information to support China’s efforts to secure contracts for state-owned enterprises within the targeted country.”
The DOJ’s unsealed indictment said that Hainan Xiandun, under the direction of HSSD intelligence officers, hacked or attempted to hack victims in several countries, including the U.S. Targets included universities in California, Pennsylvania, Hawaii, Maryland, Texas, and Washington, research facilities across the country, and defense contractors in California and Virginia.
“These criminal charges once again highlight that China continues to use cyber-enabled attacks to steal what other countries make, in flagrant disregard of its bilateral and multilateral commitments,” Deputy Attorney General Lisa Monaco said. “The breadth and duration of China’s hacking campaigns, including these efforts targeting a dozen countries across sectors ranging from healthcare and biomedical research to aviation and defense, remind us that no country or industry is safe. Today’s international condemnation shows that the world wants fair rules, where countries invest in innovation, not theft.”
Microsoft corporate Vice President Tom Burt told the Washington Examiner: “Attributions like these will help the international community ensure those behind indiscriminate attacks are held accountable.”
The Cybersecurity and Infrastructure Security Agency said that it, along with the NSA and the FBI, assessed that Chinese state-sponsored hackers “aggressively target” U.S. and allied “political, economic, military, educational, and critical infrastructure personnel and organizations to steal sensitive data, critical and emerging key technologies, intellectual property, and personally identifiable information” in order to “support China’s long-term economic and military development objectives.”
The CISA and the FBI released a joint advisory on Monday, providing details on “MSS-affiliated actors” who targeted victims in “academia, aerospace/aviation, biomedical, defense industrial base, education, government, healthcare, manufacturing, maritime, research institutes, and transportation” and went after “governmental organizations, companies, and universities in a wide range of industries — including biomedical, robotics, and maritime research — across the United States, Canada, Europe, the Middle East, and the South China Sea area, as well as industries included in China’s Belt and Road Initiative.” The CISA also provided details on how the Chinese hackers targeted Microsoft.
A senior administration official also told the Washington Examiner that “the U.S. and our allies have not ruled out further action.”
“No one action can change PRC’s behavior, and neither can just one country acting on its own,” the official said. “We are making it clear to China: For as long as China continues its pattern of irresponsible malicious cyber activities, we will continue to work with our allies and partners to call them out, promote network defense and cybersecurity, and take action to disrupt threats to our people.”