WASHINGTON—The Biden administration publicly blamed hackers affiliated with China’s main intelligence service for a far-reaching cyberattack on Microsoft Corp. email software this year, part of a global effort by dozens of nations to condemn Beijing’s malicious cyber activities.
The U.S. government has high confidence that hackers tied to the Ministry of State Security, or MSS, carried out the unusually indiscriminate hack of Microsoft Exchange Server software that emerged in March, senior officials said.
In addition, four Chinese nationals were indicted over a range of separate hacking intrusions dating back a decade that allegedly stole corporate and research secrets from firms and universities around the world. Three of the nationals were described as MSS officers, while a fourth was said to be employed at a Chinese front company that aided the hacking.
“The United States and countries around the world are holding the People’s Republic of China (PRC) accountable for its pattern of irresponsible, disruptive, and destabilizing behavior in cyberspace, which poses a major threat to our economic and national security,” Secretary of State
said Monday. The MSS, he added, had “fostered an ecosystem of criminal contract hackers who carry out both state-sponsored activities and cybercrime for their own financial gain.”
The U.K. and European Union, among others, joined in the attribution of the Microsoft Exchange Server hacking activity, which rendered an estimated hundreds of thousands of mostly small businesses and organizations vulnerable to cyber intrusion. Attributing the Microsoft hack to China was part of a broader global censure Monday of Beijing’s cyberattacks by the U.S., the EU, the U.K., Canada, Australia, New Zealand, Japan and the North Atlantic Treaty Organization, or NATO, a 30-nation alliance.
Biden administration officials called the collective condemnation the largest international effort yet to criticize Beijing’s state-sponsored hacking. While statements varied, the international cohort generally called out China for engaging in harmful cyber activity, including intellectual property theft.
The public shaming, however, didn’t include punitive measures, such as sanctions or diplomatic expulsions by the U.S. That stands in contrast with how the administration recently punished Russia for a range of alleged malicious cyber activity, and the discrepancy drew criticism from some cybersecurity specialists.
The lack of further punishment “looks like a double standard compared with actions against Russian actors. We treat China with kid gloves,” said
chairman of Silverado Policy Accelerator, a Washington-based think tank that works to modernize U.S. cybersecurity strategy.
A senior official that said the administration is aware that no single action is capable of changing the Chinese government’s malicious cyber behavior, and that the focus was on bringing countries together in a unified stance against Beijing. The official said that hackers linked to the MSS were using criminal contractors to conduct “unsanctioned” cyber operations globally.
Asked by reporters what he believes the difference is between hacking originating in China and Russia, President Biden said, “My understanding is that the Chinese government, not unlike the Russian government, is not doing this themselves, but are protecting those who are doing it, and maybe even accommodating them being able to do it.”
The U.S.-led announcement is the most significant action from the Biden administration to date concerning China’s yearslong campaign of cyberattacks against the U.S. government and American companies, often involving routine nation-state espionage and the theft of valuable intellectual property such as naval technology and coronavirus-vaccine data.
The indictment the Justice Department made public Monday alleges that the Chinese government has done little to uphold a 2015 accord between China and the Obama Administration not to direct or support cyberattacks that steal corporate records for economic benefit. The Trump administration had also said Beijing repeatedly violated the accord. The indictment, which dates from May, accuses a regional branch of the MSS of relying on a front company, whose payroll was coordinated through a local university, to continue such attacks after the pact was signed.
The indictment charges the four men with orchestrating a hacking campaign from 2011 to 2018 intended to benefit China’s companies and commercial sectors by stealing intellectual property and business information. The indictment didn’t appear directly related to the Microsoft Exchange Server breach, but accused the hackers of stealing information from dozens of companies and universities around the world about Ebola virus research, maritime research and other topics.
U.S. authorities have accused China of widespread hacking targeting American businesses and government agencies for years. China has historically denied the allegations.
“The U.S. has repeatedly made groundless attacks and malicious smear against China on cybersecurity,” Liu Pengyu, spokesman for the Chinese Embassy in Washington, said late Monday. “This is just another old trick, with nothing new in it.”
The Exchange Server hack was disclosed by Microsoft in March alongside a software patch to fix the bugs being exploited in the attack. Microsoft at the time identified the culprits as a Chinese cyber-espionage group with state ties that it refers to as Hafnium, an assessment that was supported by other cybersecurity researchers. The Biden administration hadn’t offered attribution until now, and it is essentially agreeing with the conclusions of the private sector and providing a more detailed identification.
The attack on the Exchange Server systems began slowly and stealthily in early January by hackers who in the past had targeted infectious-disease researchers, law firms and universities, according to cybersecurity officials and analysts. But the operational tempo appeared to intensify as other China-linked hacking groups became involved, infecting thousands of servers as Microsoft worked to send its customers a software patch in early March.
Microsoft praised Monday’s global action. “Attributions like these will help the international community ensure those behind indiscriminate attacks are held accountable,” said Tom Burt, Microsoft’s vice president of customer security and trust.
Also on Monday, the National Security Agency, Federal Bureau of Investigation and Cybersecurity and Infrastructure Security Agency jointly published technical details of more than 50 tactics and techniques favored by hackers linked to the Chinese government. The release of such lists is common when the U.S. exposes or highlights malicious hacking campaigns and is intended to help businesses and critical infrastructure operators better protect their computer systems.
‘Failure to sanction any PRC-affiliated actors has been one of the most prolific and baffling failures of our China policy that has transcended administrations.’
Cybersecurity experts have been pressing the Biden administration for months to respond to China’s alleged involvement in the Microsoft email hack.
“The Microsoft Exchange hacks by MSS contractors is the most reckless cyber operation we have yet seen from the Chinese actors—much more dangerous than the Russian
hacks,” said Silverado’s Mr. Alperovitch, referring to the widespread cyber-espionage campaign detected last December that, along with other alleged activities, prompted a suite of punitive measures against Moscow.
Many analysts said the Biden administration broke with years of U.S. foreign policy that tolerated cyber espionage as an acceptable form of 21st century spycraft when it punished Russia earlier this year for SolarWinds.
Kellen Dwyer, a former career prosecutor who served last year as deputy assistant attorney general in the Justice Department’s national security division, said the SolarWinds attack “was an espionage attack, and one that was relatively cautious about imposing collateral damage.”
Meanwhile, said Mr. Dwyer, the Chinese actors who allegedly engaged in the Microsoft Exchange hack grabbed vast swaths of data and “indiscriminately scanned the entire internet to find unpatched vulnerabilities.” He said: “That certainly should be a norm that we are willing to define and meet with sanctions.”
The Chinese defendants charged in the new indictment aren’t in U.S. custody. Some cybersecurity experts have said indictments against foreign state-backed hackers often have little impact, because the accused are rarely brought before an American courtroom. U.S. officials have defended the practice, saying it helps convince allied governments, the private sector and others about the scope of the problem.
The hackers are accused of breaching dozens of schools, companies, and government agencies around the world, ranging from a research facility in California and Florida focused on virus treatments and vaccines, to a Swiss chemicals company that produces maritime paints, to a Pennsylvania university with a robotics engineering program and the National Institutes of Health, to two Saudi Arabian government ministries. The companies and universities aren’t named in the indictment.
The hackers allegedly used fake spear-phishing emails and stored stolen data on GitHub, concealing the files in photos of a koala and
the indictment said. They coordinated with professors at a Chinese university, including to identify and recruit hackers for their campaign, and used the address of the university library as the front company’s location, it said.
The Microsoft Hack
More WSJ coverage of Exchange Server cyberattack, selected by the editors.
—Laurence Norman and Andrew Restuccia contributed to this article.
Copyright ©2021 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8