US says Chinese intelligence behind cyberattack using Microsoft software flaw

China’s Ministry of State Security (MSS) intelligence service was behind a major international cyberattack involving tens of thousands of computers penetrated through security flaws in Microsoft software, according to a senior Biden administration official.

Beijing also employed contract Chinese hackers to carry out ransomware attacks in financial crime schemes, the official told reporters in a briefing Sunday night.

“MSS is using, knowledgeably, criminal contract hackers to conduct unsanctioned cyber operations globally,” the official said. “That is very much with the Ministry of State Security’s knowledge.”

The official described the MSS use of the private hackers as “really eye-opening and surprising for us.”

The cyberattacks that exploited a security flaw in Microsoft Service Exchange software also were significant and were “very eye-opening to us as well,” the official added. The U.S. disclosures are part of a major publicity campaign by the administration and American allies set for Monday to expose extensive Chinese government hacking operations.

The administration will join the European Union, Britain, Australia, Canada, New Zealand, Japan and the NATO alliance in launching a joint publicity campaign focused on exposing and criticizing MSS cyber activities.

“We will show how the … Ministry of State Security uses criminal contract hackers to conduct unsanctioned cyber operations globally, including for their own personal profit,” the senior official said. “Their operations include criminal activities, such as cyber-enabled extortion, crypto-jacking, and theft from victims around the world for financial gain.”

Some ransom attacks â€" breaking into networks, encrypting data and demanding payment in order to release the data â€" involved Chinese government hackers in attacks on private companies that netted millions of dollars, the official said.

But links to ransomware strikes by groups affiliated with Chinese intelligence are a relatively new type of operation.

Cybersecurity analysts say most Chinese cyber operations, including the Microsoft Exchange Server attacks, involve theft of data that is being used as part of the Chinese government’s database collection for both secrets and proprietary economic data.

“This was surprising to us,” the senior official said of the MSS link to criminal ransomware, noting that the intelligence provides “new insights on the MSS’s work and on the kind of aggressive behavior that we’re seeing coming out of China.”

Three U.S. security agencies are issuing a 31-page report listing extensive technical measures used by Chinese state-sponsored hackers to break into computer networks. The report by the National Security Agency, Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and the FBI lists 44 different types of technical attacks by Chinese hackers and how to counter them.

“Chinese state-sponsored cyber actors aggressively target U.S. and allied political, economic, military, educational and critical infrastructure (CI) personnel and organizations to steal sensitive data, critical and emerging key technologies, intellectual property, and personally identifiable information (PII),” the agencies said.

Targeted sectors include “managed service providers, semiconductor companies, the defense industrial base (DIB), universities and medical institutions. These cyber operations support China’s long-term economic and military development objectives.”

The senior administration official said security agencies have “high confidence” the Microsoft attack involved the exploitation by MSS hackers of software flaws called “zero days.”

“We’ve raised our concerns about both the Microsoft incident and the PRC’s broader malicious cyber activity with senior PRC government officials, making clear that the PRC’s actions threaten security, confidence and stability in cyberspace,” the official said, using the acronym for People’s Republic of China. “The U.S. and our allies and partners are not ruling out further actions to hold the PRC accountable.”

A person familiar with the Microsoft Exchange Service hack, which began around January and continued through the spring, said a major American university and a large law firm were among the targets. The main objective of the Chinese attack was to gain access to thousands of computer networks for the information contained in the networks.

After the data was exfiltrated, China appears to have shared the security flaws used in penetrating the systems with criminal hackers that in some cases launched ransomware attacks, said the person.

Chinese hacking operations have involved large-scale theft of both private and government secrets, as well as theft of sensitive personal data.

For example, China’s military was linked by federal prosecutors to cyberattacks against Boeing that resulted in the theft of secrets related to the C-17 military transport and F-22 and F-35 jets worth billions of dollars.

One of China’s most damaging alleged operations involved cyberattacks against the Office of Personnel Management that was uncovered in 2015. The data stolen included sensitive information on federal workers who hold security clearances and are valuable in conducting counterintelligence operations.

The effort to enlist the support of U.S. allies in exposing Chinese hacking operations is part of the Biden administration’s push to avoid taking unilateral action.

“Our allies and partners are a tremendous source of strength and a unique American advantage, and our collective approach to cyber threat information sharing, defense,” the senior official said.

By joining allies, the administration hopes to increase information-sharing on cyber threats and network defenses.

NATO’s involvement in criticizing the Chinese cyber activities is the first time the alliance has raised the matter publicly.

The U.S. government announced in April that it conducted cyber operations and pursued proactive network defense actions to prevent systems compromised through the Exchange Server vulnerabilities from being used for ransomware attacks or other malicious purposes.

The senior official was asked why the administration has not taken the same kind of punitive action announced in April against Russia for its role in the so-called SolarWinds cyberattack, as for China.

“We’re not ruling out further actions to hold the PRC accountable,” the official said.

In April, the Treasury Department sanctioned 32 Russian banks and technology companies and people for their involvement in SolarWinds cyberattacks.

Sign up for Daily Newsletters

Share this post