The US, UK, NATO, the European Union and other allied nations have accused the Chinese Ministry of State Security of a global hacking campaign, including a large-scale attack on Microsoft Exchange servers and other activity in cyberspace described as "irresponsible and destabilizing behavior”.
“The United States is deeply concerned that the PRC has fostered an intelligence enterprise that includes contract hackers who also conduct unsanctioned cyber operations worldwide, including for their own personal profit… hackers with a history of working for the PRC Ministry of State Security (MSS) have engaged in ransomware attacks, cyber enabled extortion, crypto-jacking, and rank theft from victims around the world, all for financial gain,” the White House said in a statement.
“In some cases, we are aware that PRC government-affiliated cyber operators have conducted ransomware operations against private companies that have included ransom demands of millions of dollars. The PRC’s unwillingness to address criminal activity by contract hackers harms governments, businesses, and critical infrastructure operators through billions of dollars in lost intellectual property, proprietary information, ransom payments, and mitigation efforts,” it continued.
In March 2021, Microsoft discovered a new China-backed hacking group, which it dubbed Hafnium, targeting Exchange servers using a set of vulnerabilities known as ProxyLogon (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065). All of them were described as an input validation error issue and allow remote code execution using specially crafted data sent to the Exchange server.
The White House has also attributed “with a high degree of confidence” the initial Microsoft Exchange attacks to hackers linked to China’s Ministry of State Security.
In a statement the UK National Cyber Security Centre (NCSC) also said that “the attack on Microsoft Exchange software was highly likely to enable large-scale espionage” and “it was highly likely that a group known as HAFNIUM, which is associated with the Chinese state, was responsible for the activity.”
The UK added that the Chinese Ministry of State Security (MSS) is also behind Chinese state-backed hacking groups tracked as APT40 and APT31.
The NSA, FBI and the DHS’s Cybersecurity and Infrastructure Security Agency (CISA) released an advisory detailing tactics, techniques and procedures (TTPs) used by Chinese state-sponsored threat actors in their campaigns. The document also provides recommendations for detection and mitigation, as well as defensive tactics and techniques.
The U.S. Justice Department on Monday announced criminal charges against four alleged MSS hackers belonging to the APT40 group regarding activities related to a broad campaign targeting foreign governments and entities in maritime, aviation, defense, education, and healthcare sectors in the least a dozen countries with the goal of stealing trade secrets and confidential business information.