The United States, Canada, and numerous other nations formally blamed China on Monday for a massive hack of the Microsoft Exchange email server software and accused Beijing of working with criminal hackers in ransomware attacks and other cyber operations.
While they were not accompanied by sanctions against the Chinese government, the announcements were intended as a forceful condemnation of activities a senior Biden administration official described as forming part of a “pattern of irresponsible behaviour in cyberspace.”
The Government of Canada estimates that as many as 400,000 servers were compromised.
“This activity put several thousand Canadian entities at risk — a risk that persists in some cases even when patches from Microsoft have been applied,” Foreign Affairs Minister Marc Garneau, Public Safety Minister Bill Blair and Defence Minister Harjit Sajjan said in a statement.
“Canada is confident that (China’s) Ministry of State Security is responsible for the widespread compromising of the exchange servers.”
The broad range of cyberthreats include ransomware attacks from government-affiliated hackers that have targeted victims with demands for millions of dollars. U.S officials allege that China’s Ministry of State Security has been using criminal contract hackers who have engaged in cyber extortion schemes and theft for their own profit, officials said.
Meanwhile, the U.S. Justice Department on Monday announced charges against four Chinese nationals who prosecutors said were working with the Ministry of State Security in a hacking campaign that targeted dozens of computer systems, including companies, universities and government entities. The defendants are accused of stealing trade secrets and confidential business information.
Unlike in April, when public finger-pointing of Russian hacking was paired with a raft of sanctions against Moscow, the Biden administration did not announce any actions against Beijing.
Canada also declined to impose any sort of punitive action. But the U.S. has confronted Chinese officials behind the scenes in the hope that Monday’s public shaming sends an important message, a senior Biden administration official told reporters on Monday.
The European Union and Britain also called out China. The EU said malicious cyber activities with “significant effects” that targeted government institutions, political organizations and key industries in the bloc’s 27 member states could be linked to Chinese hacking groups. The U.K.’s National Cyber Security Centre said the groups targeted maritime industries and naval defence contractors in the U.S. and Europe and the Finnish parliament.
WATCH | Canadians were likely hit by the massive Microsoft hack
In a statement, EU foreign policy chief Josep Borrell said the hacking was “conducted from the territory of China for the purpose of intellectual property theft and espionage.”
The Microsoft Exchange cyberattack “by Chinese state-backed groups was a reckless but familiar pattern of behaviour,” U.K. Foreign Secretary Dominic Raab said.
NATO, in its first public condemnation of China for hacking activities, called on Beijing to uphold its international commitments and obligations “and to act responsibly in the international system, including in cyberspace.” The alliance said it was determined to “actively deter, defend against and counter the full spectrum of cyber threats.”
That hackers affiliated with the Ministry of State Security were engaged in ransomware was surprising and concerning to the U.S. government, the senior administration official said. But the attack, in which an unidentified American company received a high-dollar ransom demand, also gave U.S. officials new insight into what the official said was “the kind of aggressive behaviour that we’re seeing coming out of China.”
The majority of the most damaging and high-profile recent ransomware attacks have involved Russian criminal gangs. Though the U.S. has sometimes seen connections between Russian intelligence agencies and individual hackers, the use of criminal contract hackers by the Chinese government “to conduct unsanctioned cyber operations globally is distinct,” the official said.
An advisory Monday from the FBI, the National Security Agency and the Cybersecurity and Infrastructure Security Agency laid out specific techniques and ways that government agencies and businesses can protect themselves.
A spokesperson for the Chinese Embassy in Washington did not immediately return an email seeking comment Monday. But a Chinese Foreign Ministry spokesperson has previously deflected blame for the Microsoft Exchange hack, saying that China “firmly opposes and combats cyber attacks and cyber theft in all forms” and cautioned that attribution of cyberattacks should be based on evidence and not “groundless accusations.”
Canada’s cybersecurity agency also released a report last Friday outlining some of the threats that foreign actors could pose during the next federal election, which Prime Minister Justin Trudeau is expected to call in the next few weeks.
The Communications Security Establishment report specifically blamed the majority of online attacks and threats to democratic processes in Canada and other parts of the world since 2015 on China, Russia and Iran.
And while Canada may have good defences and may not be a major target now, the CSE said a growing number of actors have the tools, capacity and understanding of this country’s political landscape to take action in the future “should they have the strategic intent.”