Security Experts:

Connect with us

Hi, what are you looking for?



U.S., Allies Officially Accuse China of Microsoft Exchange Attacks

U.S. Charges Four Alleged Members of Chinese Hacking Group APT40

The United States and its allies have officially attributed the Microsoft Exchange server attacks disclosed in early March to hackers affiliated with the Chinese government.

U.S. Charges Four Alleged Members of Chinese Hacking Group APT40

The United States and its allies have officially attributed the Microsoft Exchange server attacks disclosed in early March to hackers affiliated with the Chinese government.

China on Monday was accused by the United States, the European Union, NATO, the United Kingdom, Canada, Australia, New Zealand and Japan of conducting malicious cyber activity.

In a statement, the White House accused China of using “criminal contract hackers” to conduct cyber operations. These threat actors allegedly carried out cyberattacks for their own personal gain, including activities involving ransomware, cryptojacking, and cyber-enabled extortion.

The White House has also attributed — “with a high degree of confidence” — the initial Microsoft Exchange attacks to hackers affiliated with China’s Ministry of State Security (MSS).

Multiple threat groups have exploited the Microsoft Exchange vulnerabilities disclosed in early March. However, when Microsoft first warned of the zero-day exploits, it attributed them to a China-linked threat actor named HAFNIUM.

A statement issued by the UK’s National Cyber Security Centre (NCSC) on Monday said the agency is “almost certain” that the threat actors tracked as HAFNIUM, APT40 (TEMP.Periscope, TEMP.Jumper. Leviathan), and APT31 (Judgement Panda, Zirconium, Red Keres) are linked to the Chinese government.

NSA, FBI and CISA release advisory on Chinese state-sponsored cyber operations

The NSA, FBI and the DHS’s Cybersecurity and Infrastructure Security Agency (CISA) on Monday released an advisory detailing more than 50 tactics, techniques and procedures (TTPs) used by Chinese state-sponsored threat actors in their attacks.

The 30-page advisory describes the TTPs used by the hackers, but also includes recommendations for detection and mitigation, as well as defensive tactics and techniques.

“Chinese state-sponsored cyber activity poses a major threat to U.S. and allied systems. These actors aggressively target political, economic, military, educational, and critical infrastructure personnel and organizations to access valuable, sensitive data. These cyber operations support China’s long-term economic and military objectives,” the agencies said.

US charges four Chinese hackers

The U.S. Justice Department on Monday announced criminal charges against four individuals who allegedly hacked into the systems of dozens of government organizations, companies and universities around the world between 2011 and 2018.

“The indictment … alleges that much of the conspiracy’s theft was focused on information that was of significant economic benefit to China’s companies and commercial sectors, including information that would allow the circumvention of lengthy and resource-intensive research and development processes,” the DoJ said.

Three of the defendants are said to be officers in a provincial arm of the MSS and one was an employee of a front company that was used to obfuscate the government’s role in the hacking campaigns.

The defendants are Ding Xiaoyang, Cheng Qingmin, Zhu Yunmin and Wu Shurong. They have been charged with conspiracy to commit computer fraud and conspiracy to commit economic espionage.

Chinese hackers of APT40 - wanted

The activity allegedly conducted by these individuals has been linked to the threat group tracked as APT40.

Over the past years, the U.S. has charged several individuals over their alleged role in hacking operations conducted by the Chinese government, including attacks aimed at COVID-19 vaccine makers and the credit reporting agency Equifax. Members of the group tracked as APT41 have also been charged.

Related: ‘Five Eyes’ Nations Blame China for APT10 Attacks

Related: More Countries Officially Blame Russia for SolarWinds Attack

Related: UK, US, Canada Accuse Russia of Hacking Virus Vaccine Trials

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...