US government formally names China in Exchange Server hack

The U.S. government blamed Chinese state-sponsored actors Monday for the devastating Microsoft Exchange Server cyber attacks earlier this year.

The announcement was made nearly four and a half months after Microsoft disclosed that a Chinese threat actor designated Hafnium had exploited a number of zero-day vulnerabilities affecting on-premises versions of Microsoft Exchange Server in early March. Hundreds of thousands of servers were vulnerable by the time a patch was released, and an estimated tens of thousands of networks across the world were compromised.

The statement released by the White House Monday was done in concert with the European Union, the U.K. and NATO. With a "high degree of confidence," the governments placed the blame for the large-scale Exchange Server attacks against "mostly private-sector victims" on Chinese threat actors affiliated with the Ministry of State Security (MSS).

While Microsoft did assess that Hafnium was state-sponsored in its March 2 disclosure, only now has the U.S. formally named the People's Republic of China (PRC) in the attacks. It took a similar amount of time for the U.S. to name Russia for its role in the SolarWinds supply-chain attack.

A Microsoft spokesperson shared the following statement with SearchSecurity, attributed to Tom Burt, corporate vice president of customer security and trust at Microsoft.

"Attributions like these will help the international community ensure those behind indiscriminate attacks are held accountable," Burt said. "The governments involved in this attribution have taken an important and positive step that will contribute to our collective security. Transparency is critical if we're to combat the rising cyber attacks we see across the planet against individuals, organizations and nations."

The United States is deeply concerned that the PRC has fostered an intelligence enterprise that includes contract hackers.

Beyond the Exchange Server attacks, the statement was an overall condemnation of China's malicious cyber activity and "irresponsible state behavior."

"The United States is deeply concerned that the PRC has fostered an intelligence enterprise that includes contract hackers who also conduct unsanctioned cyber operations worldwide, including for their own personal profit," the White House statement read.

"In some cases," the statement continues, "we are aware that PRC government-affiliated cyber operators have conducted ransomware operations against private companies that have included ransom demands of millions of dollars."

On Monday, the U.S. Department of Justice also announced a May indictment of four alleged MSS-sponsored actors, charging them with "a campaign to hack into the computer systems of dozens of victim companies, universities and government entities in the United States and abroad between 2011 and 2018," the indictment press release reads. They have been given the designation APT 40, and are not suspected of involvement with the Exchange Server attacks. The indictments were referenced in the White House's statement.

Monday's statement did not include any announcements of sanctions or other actions against China. Instead, it included a rundown of actions taken in previous months by the U.S. government, including the discovery of new Exchange Server vulnerabilities and a new joint cybersecurity advisory. It also discussed the Biden administration's efforts to modernize federal cyber defenses.

China is one of the "big four" in terms of cyber adversaries to the United States. Recorded Future COO Stu Solomon told SearchSecurity in April that China is unique in that it utilizes every cyber-capable part of its society, including the military, its federal government, hackers and even students.

Alexander Culafi is a writer, journalist and podcaster based in Boston.