Security Experts:

U.S., Allies Officially Accuse China of Microsoft Exchange Attacks

U.S. Charges Four Alleged Members of Chinese Hacking Group APT40

The United States and its allies have officially attributed the Microsoft Exchange server attacks disclosed in early March to hackers affiliated with the Chinese government.

China on Monday was accused by the United States, the European Union, NATO, the United Kingdom, Canada, Australia, New Zealand and Japan of conducting malicious cyber activity.

In a statement, the White House accused China of using “criminal contract hackers” to conduct cyber operations. These threat actors allegedly carried out cyberattacks for their own personal gain, including activities involving ransomware, cryptojacking, and cyber-enabled extortion.

The White House has also attributed — “with a high degree of confidence” — the initial Microsoft Exchange attacks to hackers affiliated with China’s Ministry of State Security (MSS).

Multiple threat groups have exploited the Microsoft Exchange vulnerabilities disclosed in early March. However, when Microsoft first warned of the zero-day exploits, it attributed them to a China-linked threat actor named HAFNIUM.

A statement issued by the UK’s National Cyber Security Centre (NCSC) on Monday said the agency is “almost certain” that the threat actors tracked as HAFNIUM, APT40 (TEMP.Periscope, TEMP.Jumper. Leviathan), and APT31 (Judgement Panda, Zirconium, Red Keres) are linked to the Chinese government.

NSA, FBI and CISA release advisory on Chinese state-sponsored cyber operations

The NSA, FBI and the DHS’s Cybersecurity and Infrastructure Security Agency (CISA) on Monday released an advisory detailing more than 50 tactics, techniques and procedures (TTPs) used by Chinese state-sponsored threat actors in their attacks.

The 30-page advisory describes the TTPs used by the hackers, but also includes recommendations for detection and mitigation, as well as defensive tactics and techniques.

“Chinese state-sponsored cyber activity poses a major threat to U.S. and allied systems. These actors aggressively target political, economic, military, educational, and critical infrastructure personnel and organizations to access valuable, sensitive data. These cyber operations support China’s long-term economic and military objectives,” the agencies said.

US charges four Chinese hackers

The U.S. Justice Department on Monday announced criminal charges against four individuals who allegedly hacked into the systems of dozens of government organizations, companies and universities around the world between 2011 and 2018.

“The indictment … alleges that much of the conspiracy’s theft was focused on information that was of significant economic benefit to China’s companies and commercial sectors, including information that would allow the circumvention of lengthy and resource-intensive research and development processes,” the DoJ said.

Three of the defendants are said to be officers in a provincial arm of the MSS and one was an employee of a front company that was used to obfuscate the government’s role in the hacking campaigns.

The defendants are Ding Xiaoyang, Cheng Qingmin, Zhu Yunmin and Wu Shurong. They have been charged with conspiracy to commit computer fraud and conspiracy to commit economic espionage.

Chinese hackers of APT40 - wanted

The activity allegedly conducted by these individuals has been linked to the threat group tracked as APT40.

Over the past years, the U.S. has charged several individuals over their alleged role in hacking operations conducted by the Chinese government, including attacks aimed at COVID-19 vaccine makers and the credit reporting agency Equifax. Members of the group tracked as APT41 have also been charged.

Related: 'Five Eyes' Nations Blame China for APT10 Attacks

Related: More Countries Officially Blame Russia for SolarWinds Attack

Related: UK, US, Canada Accuse Russia of Hacking Virus Vaccine Trials

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.