The US, along with an “unprecedented” group of allies and partners, today formally attributed the Microsoft Exchange server cyber campaign to China. The US also indicted four Chinese cyber actors and released detailed information on Chinese cyber tactics, techniques, and procedures (TTPs).
The attribution is significant for multiple reasons. First, it marks the first time that NATO has condemned what a Biden senior administration official characterizes as China’s “irresponsible and destabilizing behavior in cyberspace.” The European Union, the United Kingdom, Australia, Canada, New Zealand, and Japan also joined the US in attributing and denouncing China’s cyberspace activities, which are described as “pos[ing] a major threat to U.S. and allies’ economic and national security.”
“The PRC’s pattern of irresponsible behavior in cyberspace is inconsistent with its stated objective of being seen as a responsible leader in the world,” a senior administration official said on Sunday night during a call with reporters to preview the announcement.
Today’s announcement is also significant in that it accuses China’s Ministry of State Security of “us[ing] criminal contract hackers to conduct unsanctioned cyber operations globally, including for their own personal profit.” This includes “cyber-enabled extortion [i.e., ransomware], crypto-jacking, and theft from victims around the world for financial gain,” the release says. China’s Ministry of State Security is the civilian entity responsible for intelligence gathering and counterespionage.
In addition, the US Department of Justice indicted four Chinese nationals for alleged cybercriminal activities that occurred between 2011 and 2018. The indictment alleges the cyber actors are part of APT40, a threat actor group, which carried out orders from the Hainan State Security Department.
The indictments are largely symbolic, since China is unlikely to hand over these individuals to be tried in the US justice system. And this is not the first time the US has indicted Chinese cyber actors.
Still, the Biden administration’s latest efforts represent one of the most visible pushbacks against China’s cyber activities since the Obama administration. Today’s actions, however, do not impose sanctions or other consequences on the Chinese government. Regardless, the attribution is likely to roil the Chinese government and further strain US-China relations, as well as the relations between China and some US allies and partners with whom Beijing has worked hard to cultivate close economic ties.
In conjunction with the attribution and indictments, the National Security Agency, Federal Bureau of Investigation, and Cybersecurity and Infrastructure Security Agency released several publications.
The first two — a Joint Cybersecurity Advisory: Chinese Observed TTPs and Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department — are technical publications intended for cybersecurity professionals. Each one maps Chinese TTPs onto MITRE’s ATT&CK Framework and provides recommended mitigations.
The third, CISA Insights: Chinese Cyber Threat Overview for Leaders, is for a non-technical audience and intended to help organizations understand and protect themselves from cyberespionage and data theft. It includes “Actions for Leaders,” featuring recommendations for more cybersecurity strategy and investment, developing incident response plans, and staying informed on Chinese cyber activities.
The US’s actions today come after the Biden administration released an advisory on Friday warning American businesses of the potential risks of continuing to operate in Hong Kong following the Chinese government’s passing of a National Security Law last year. Legal analysts say the law is written to allow for broad interpretation of what can be considered national security threats by the Chinese government.
Friday’s joint adversary was issued by the Departments of Commerce, Homeland Security, State, and Treasury and warns that under the “new legal landscape” in Hong Kong, businesses face “potential reputational, regulatory, financial, and, in certain instances, legal risks associated with their Kong Kong operations.”
Today’s actions have been foreshadowed for months, most recently a few weeks ago. The attribution is largely a formality, since Microsoft attributed the Exchange hacks with “high confidence” in its initial disclosure of the campaign in early March.