The condemnations represent the first time NATO, a 30-nation alliance, has denounced alleged Chinese cyberattacks and follow the Biden administration’s pledge in June to rally U.S. allies against Beijing’s behavior. The number of nations involved amounts to the largest condemnation of China’s cyber aggressions to date, U.S. officials said.
The joint statements stopped short, however, of punishing the country for its alleged actions, exposing the challenge of an alliance with deep business ties to China trying to confront the world’s second-largest economy.
China’s “pattern of irresponsible behavior in cyberspace is inconsistent with its stated objective of being seen as a responsible leader in the world,” the White House said in a statement Monday.
This is the first time Washington and other U.S. allies have assigned blame for the Microsoft Exchange hack, which compromised more than 100,000 servers worldwide. Microsoft alleged in March that its Exchange servers were compromised by a Beijing-backed hacking group that exploited several previously unknown flaws in the software.
By singling out China’s Ministry of State Security (MSS) and hackers operating “with its knowledge,” the United States and its allies are seeking to put forward a common cyber approach with allies and lay down “clear expectations on how responsible nations behave in cyberspace,” said a senior administration official speaking on the condition of anonymity in advance of the allies’ collective statements under ground rules set by the White House. Administration officials have raised concerns with senior Chinese officials about the Microsoft incident and broader malicious cyber activity, “making clear that [China’s] actions threaten security, confidence and stability in cyberspace,” the official said.
Merely affixing blame but failing to impose a consequence will not deter future cyberattacks, some analysts said.
“The lack of any sanctions by the U.S. government against Chinese cyberthreat actors is a huge problem that transcends four administrations,” said Dmitri Alperovitch, chairman of Silverado Policy Accelerator, a think tank. He noted that the European Union, which has lagged the United States in publicly attributing cyberattacks to foreign governments, last year imposed the first cyber sanctions, against two Chinese nationals and a Chinese company for a supply-chain hack known as Cloud Hopper.
“We need to stop treating China as if they have a special immunity to being held accountable, and we need to act in parity, as we have with the other major malicious cyber actors, including Russia,” Alperovitch said.
The Biden administration is “not ruling out further action to hold [China] accountable,” the senior administration official said. “We’re also aware that no one action can change behavior, and neither can one country acting on its own,” the official added. “So we really focused initially on bringing other countries along with us.”
The allies and partners are also condemning Beijing for working with criminal hacker groups involved in ransomware attacks, which lock down computer systems pending payment, including at least one effort to extort a U.S. company for millions of dollars, the official said. Cybersecurity analysts have tracked ransomware attacks by Chinese criminals for years, and these incursions are generally not of the same scale as those conducted by Russia-based hackers.
“Showing how the MSS is using criminal contract hackers to conduct unsanctioned cyber operations globally, including for their own personal profit . . . is very significant,” the official said.
The official added that Washington and its allies would be exposing “50 tactics, techniques and procedures Chinese state-sponsored cyber actors used when targeting U.S. and allied networks, along with advice for technical mitigations to confront this threat.”
The E.U. denounced “malicious cyber activities” emanating from China in its statement Monday, saying the actions are “in contradiction with the norms of responsible state behavior.” NATO said it stood in solidarity with allies Canada, Britain and the United States in attributing the attack to China and called on all countries, including China, to act “responsibly” in cyberspace.
For much of January and February, the Chinese theft of email seemed stealthy and targeted, analysts said. Then suddenly in late February, shortly before Microsoft issued a patch to address the vulnerability, the illicit activity exploded. Hackers seemed to be dropping “webshells” — malware designed to install a back door into targeted systems — on anyone running an Exchange server. Some 140,000 servers were hit worldwide, White House deputy national security adviser Anne Neuberger said recently. The victims were mostly small-to-medium-size businesses and included no federal agencies.
The U.S. government initially feared the campaign could result in other hackers taking advantage of the vulnerabilities to carry out ransomware attacks. At the White House’s urging, Microsoft released a second patch — a “one click” tool that was easier to deploy — and the administration made a concerted communications push to encourage businesses to install it. That brought the number of affected servers down from 140,000 to fewer than 10,000 in the space of a week, Neuberger said.
In April, the Justice Department and FBI for the first time launched an operation, using a court order, to remove hundreds of webshells that remained on certain U.S.-based computers still running Microsoft Exchange software. “We believe it reduced the Chinese ability to sneak back in and conduct more disruptive activity,” the official said.
Separately, the Justice Department on Monday announced indictments against three MSS officers whom the United States has tied to hacking schemes targeting companies, universities and government entities in other countries, allegedly to benefit Chinese research and development work.
Devlin Barrett contributed to this report.