On July 19, the United States and other Western powers accused the Chinese state of playing a role in a recent cyberattack on the Microsoft Exchange email server software and other ransomware attacks.
The Microsoft attacks, first discovered in January and reported in March, involved hackers stealing emails and address books from tens of thousands of U.S. organizations. They included defense contractors, infectious disease researchers, universities, nongovernmental organizations and others.
The attack was attributed to a Chinese hacking consortium called Hafnium.
U.S. President Joe Biden said it was his understanding that the Chinese government “is not doing this themselves, but are protecting those who are doing it and maybe even accommodating them being able to do it.”
The U.S. Justice Department also announced it had charged three Chinese intelligence officers and a Chinese computer hacker in May for intrusions that “pilfered trade secrets and confidential information from dozens of companies, universities and government entities in the United States and 11 other countries between 2011 and 2018,” the Voice of America reported.
A Chinese foreign ministry spokesperson vehemently denied the allegations.
“The US ganged up with its allies to make groundless accusations out of thin air against China on the cyber security issue,” Chinese Foreign Ministry spokesperson Zhao Lijian said during his daily press briefing on July 20. “This act confuses right with wrong and smears and suppresses China out of political purpose. China will never accept this.”
He added: “China firmly opposes and combats all forms of cyberattacks. It will never encourage, support or condone cyberattacks. This position has been consistent and clear.”
That is likely false.
While such hacking campaigns involve providing plausible deniability, intelligence agencies and independent analysts have routinely linked the Chinese state to cyberattacks.
According to the U.S. Cybersecurity and Infrastructure Security Agency, U.S. intelligence assessments view the People’s Republic of China as “a prolific and effective cyber-espionage threat” with substantial cyberattack capabilities.
The U.S. says China has compromised telecommunications firms, providers of managed information technology services and widely-used software, among others.
Microsoft reported in September 2020 that it had sent more than 13,000 nation state notifications (NSN) over the previous two years. The technology giant sends these notices to individual or corporate customers who are “targeted or compromised by nation state activities that Microsoft tracks.”
Microsoft found the “highest percentage of NSNs represented activity originating in Russia, followed by Iran, China, North Korea, and other countries.”
The U.S. cybersecurity firm CrowdStrike said in its 2021 Global Threat Report that “China-based adversaries continued targeted operations throughout 2020 that largely aligned with historic focuses on espionage, intellectual property theft and surveillance.”
CrowdStrike said it had “observed intrusions by at least 11 named Chinese adversaries and seven suspected China-origin activity clusters.”
Many of the cyberattacks targeting the telecommunications and technology sectors lined up with “the objectives outlined in the 13th Five-Year Plan,” in which the Chinese Communist Party mapped out its development goals for 2016-2020.
According to CrowdStrike, Chinese adversaries constitute “one of the most prolific state-sponsored cyber actors on the planet.”
The Washington, D.C.,-based Center for Strategic and International Studies (CSIS) think tank has documented numerous “significant cyber incidents.” Those are “cyberattacks on government agencies, defense and high-tech companies, or economic crimes with losses of more than a million dollars,” CSIS said.
CSIS found that since 2006, China and Russia have been the largest countries of origin for such attacks.
China’s “Pulse Secure” hacking campaign included the recent hacking of the Metropolitan Water District of Southern California and the telecommunications company Verizon.
Beijing has denied any involvement.
Mandiant, a U.S. cyber security firm that rose to prominence after documenting the role of the People’s Liberation Army (PLA) in cyberattacks, suspects China-sponsored advanced persistent threat (APT) actors UNC2630 and UNC2717 played a role the Pulse Secure attacks.
According to the California-based cyber security firm FireEye, which purchased Mandiant in 2013, APTs "receive direction and support from an established nation state.”
Mandiant found that UNC2630 may have ties to APT5, which has been active since at least 2007 and focuses primarily on telecommunications and technology firms.
FireEye has described APT5 as a large threat group consisting of several subgroups. It says that in 2015, APT5 “compromised a U.S. telecommunications organization providing services and technologies for private and government entities.”
In 2010, Mandiant stated that the “Chinese government may authorize” such attacks, but “there’s no way to determine the extent of its involvement.”
Three years later, Mandiant said it had acquired enough evidence through hundreds of investigations of computer security breaches around the world to conclude that groups engaged in malicious cyber activities “are based primarily in China and that the Chinese Government is aware of them.”
In that 2013 report, Mandiant focused on APT1, “one of more than 20 APT groups with origins in China” that the cybersecurity firm had catalogued at that point.
Mandiant said APT1 had been able to wage “a long-running and extensive cyber espionage campaign because it is acting with the full knowledge and cooperation of the government.”
It also said there was sufficient evidence to conclude that APT1 is in fact Unit 61398 of China’s People’s Liberation Army. At the time, APT1 was staffed by hundreds, if not thousands of people and that state-owned China Telecom had provided it with “special fiber optic communications infrastructure … in the name of national defense.”
FireEye has also identified a number of Chinese state-linked APT actors. They include APT40, whose members were targeted in the July 19 U.S. Justice Department indictment, and APT31, which has been implicated in high-profile attacks, including a 2018 breach of the Norwegian government’s technology network and a December 2020 attack on the Finnish parliament’s information systems.
The U.K. government also concluded that the Chinese Ministry of State Security is behind activity “known by cyber security experts as ‘APT40’ and ‘APT31’.”
NATO’s decision-making body, the North Atlantic Council, acknowledged statements by members that “attributed responsibility for the Microsoft Exchange Server compromise to the People’s Republic of China.”