Hackers working for Chinese intelligence played a role in using ransomware to extort U.S. businesses, the White House said Monday.
The announcement was part of a broader effort by the U.S. and a large group of allies, including the European Union, NATO, the U.K., Australia and Japan, to condemn China’s government for “malicious cyber activity,” a senior White House official told reporters on a call Sunday night. The official asked to not be identified as a condition of participating in the call.
The move marks a significant escalation in a decade-long effort by the U.S. to grapple with Chinese government hacking. And it is an example of how the Biden administration is trying to enlist allies in an effort to change China’s behavior, after four years of the Trump administration's unilateralism.
"The compromise and exploitation of the Microsoft Exchange server undermined the security and integrity of thousands of computers and networks worldwide," the Council of the European Union said in a published statement Monday. "This irresponsible and harmful behaviour resulted in security risks and significant economic loss for our government institutions and private companies, and has shown significant spill-over and systemic effects for our security, economy and society at large."
China rejected the accusations by the U.S. and its allies as “sheer fabrication and slander,” a spokesperson for the Chinese embassy in London told a briefing Tuesday.
In turn, it accused the U.S. of “engaging in practices of large-scale, organized and indiscriminate cyber theft, surveillance and attacks against foreign governments, enterprises and individuals,” which it said was “in violation of international law and basic norms governing international relations.”
The joint announcement largely concerns the discovery and exploitation of a flaw in Microsoft’s Exchange software this year, the official said.
Hackers who were quickly identified by U.S. government and private cybersecurity experts as likely to be affiliated with China’s Ministry of State Security, or MSS, began using the flaw in January to start hacking into companies, seemingly as part of China’s conventional spying operations. Other hackers believed by the U.S. to be tied to the MSS later launched ransomware attacks using the flaw.
The U.S. has previously accused some hackers working for Chinese intelligence of using their skills to moonlight as cybercriminals for extra money. The announcement Monday marks the first time the U.S. has accused China of abetting ransomware attackers.
It is unclear how successful the ransomware attacks were or whether hackers working for the MSS directly conducted them or relied on cybercriminal affiliates. But the official did say that demands had been made.
“In some cases, we’re aware where [People’s Republic of China] government-affiliated cyber operators have conducted ransomware operations against private companies that have included ransom demands of millions of dollars,” the official said.
Tom Burt, Microsoft’s corporate vice president for customer security and trust, praised the joint announcements in an emailed statement.
"Attributions like these will help the international community ensure those behind indiscriminate attacks are held accountable," Burt said. "Transparency is critical if we’re to combat the rising cyberattacks we see across the planet against individuals, organizations and nations."
Separately, the U.S. Justice Department indicted four individuals it said worked for Chinese intelligence for hacking into companies in an effort to steal intellectual property and confidential information, and then sharing that information with Chinese businesses.
The National Security Agency, FBI and Cybersecurity and Infrastructure Security Agency also issued an extensive technical document for cybersecurity workers on how to defend against common state-sponsored attacks from China.
The Biden administration is under pressure to rein in attacks by ransomware, a criminal hacker tactic that locks up a victim’s computer, demanding money in exchange for a promise to fix it and not to leak sensitive files.
Most of the most prolific ransomware operators are believed to operate in and around Russia, which has led President Joe Biden to say the U.S. will take direct steps against the hackers if Russian President Vladimir Putin does not intervene. While some ransomware groups have disappeared, it is unclear whether any of the White House’s actions have had an effect.
The Microsoft Exchange hack led to a high-profile espionage campaign that quickly spiraled into several ransomware attacks. The hackers who first started exploiting the vulnerability seemed to act like most government hackers, spying on conventional government and corporate targets.
But then something curious happened: State-sponsored hacker groups usually keep the discovery of key software vulnerabilities to themselves, but other hacker groups, including criminal ones, quickly also started exploiting the flaw, leading to speculation about who had made it public. It was used to deploy ransomware attacks soon afterward.
It was unclear how many organizations were targeted or whether any of the ransomware attacks were successful. But there were multiple attacks, the official said, at least one of them against a U.S. target.
"This was surprising to us, and in fact one of the reasons we’ve put so much work into this attribution is because it really gave us new insight into the MSS’s work and then the kind of aggressive behavior that we’re seeing coming out of China," the official said.
"I can’t speak to further details of the ransomware attack, but it literally was what we think about with ransomware: a ransom request — a large ransom request — made to an American company," the official said.