The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: The U.S. and allies are taking a stand against Chinese hacking. Here are three takeaways

with Aaron Schaffer

The Biden administration and a bevy of allies are calling out China this morning for a raft of bad behavior in cyberspace, including a hack into Microsoft email servers that compromised at least 30,000 organizations in the United States alone. 

U.S. officials are formally attributing that hack to China’s Ministry of State Security, as are allies from the European Union, NATO, the United Kingdom, Australia, New Zealand and Japan.

The group is also condemning the Chinese government for working with criminal contract hackers, including for cyberattacks aimed solely at personal gain rather than intelligence gathering. Those operations include ransomware attacks, a senior Biden administration official said — including at least one attack in which hackers locked up computers at a U.S. company and demanded a multimillion-dollar ransom to unlock them. 

It's among the most far-reaching condemnations of Chinese hacking to date. And the behavior it describes is far more thuggish than Beijing's traditional hacking, which has focused on espionage and helping Chinese firms outcompete their rivals rather than on common theft

Such close links between government and criminal hackers are a trademark of Russia’s cyber operations. They were thought to be less common in China, but not unknown there. 

The move comes as the Biden administration is already in a cyber face off with the Kremlin, threatening severe punishments for criminal ransomware gangs operating on Russian territory that have wreaked havoc on U.S. businesses. 

“We’ve raised our concerns about both the Microsoft incident and [the People’s Republic of China’s] broader malicious cyber activity with senior PRC government officials, making clear that the PRC’s actions threaten security, confidence and stability in cyberspace,” the senior administration official said. 

The administration isn’t announcing any sanctions or other punishments against Chinese officials for the hacks but isn’t ruling them out, the official said. 

In a separate action, the Justice Department revealed indictments this morning against four Chinese officers in a provincial arm of the Ministry of State Security for a seven-year hacking campaign focused on stealing intellectual property including information about infectious disease research. 

Here are three big takeaways:

1. Allies, allies and more allies

It’s not uncommon for the United States to join with allies in jointly attributing government-backed hacks that have global consequences. But there’s an especially long list of nations and alliances making this attribution. NATO, for example, has never before attributed a cyberattack to China. 

Other nations may make similar attributions in coming weeks, the administration official said. 

The message is clear: These nations all basically agree about what’s in and out of bounds for government hackers. And China, despite its status as an economic and military powerhouse, is firmly out of bounds. 

“[China’s] pattern of irresponsible behavior in cyberspace is inconsistent with its stated objective of being seen as a responsible leader in the world,” the senior administration official said. The official later added, “we're putting forward a common cyber approach with our allies and laying down clear expectations on how responsible nations behave in cyberspace.”

2. Strong words, but no punishments yet.

The United States has slapped sanctions on Russia, Iran and North Korea for hacking. But it has been wary of sanctioning China, with which it has a much broader relationship, including massive trade ties.

But harsh words have not been sufficient so far to change China’s behavior, and some analysts say it’s time to give stronger measures a try

“The lack of any sanctions by the U.S. government against Chinese cyber threat actors is a huge problem that transcends four administrations,” Dmitri Alperovitch, chairman of the Silverado Policy Accelerator think tank, told my colleague Ellen Nakashima. “We need to stop treating China as if they have a special immunity to being held accountable and we need to act in parity as we have with the other major malicious cyber actors, including Russia.”

The E.U. has been somewhat more aggressive, sanctioning Chinese hackers last year for a 12-year hacking campaign dubbed Cloud Hopper that vacuumed up data from major industries in a dozen countries.  

The Biden official emphasized that today’s naming and shaming campaign is just one step in responding to Chinese hacking, and more responses may be coming. 

“We’re also aware that no one action can change behavior, and neither can one country acting on its own. So, we really focused initially in bringing other countries along with us,” the official said. 

3. The line between government and criminal hacking is getting grayer.

In addition to ransomware attacks, the criminal hacking gangs that worked with China’s Ministry of State Security were conducting other breaches. They included hacks that stole money directly from victims and that hijacked victims’ computing power to mine cryptocurrency, the administration official said. 

“That is very much with the Ministry of State Security's knowledge,” the official said.

That suggests Beijing’s approach to hacking is becoming more similar to Russia's. Experts say vast criminal networks are allowed to operate with impunity there provided they steer clear of Russian targets and do the Kremlin’s bidding when called upon. 

The line between government and criminal hacking is also hazy in North Korea, where government hackers frequently conduct cyber-enabled thefts to help fund state operations. 

The keys

NSO Group spyware was used to hack the phones of journalists, activists and others worldwide, a major investigation reveals.
An investigation by a consortium of media organizations found Israeli firm NSO Group's Pegasus spyware was used to hack smartphones of journalists and others. (Video: Jon Gerberg/The Washington Post)

The company’s Pegasus spyware was used in hacks and attempted hacks of 37 smartphones belonging to journalists, human rights activists, business executives and women close to murdered Saudi journalist Jamal Khashoggi, our colleagues report in an investigation alongside more than a dozen other news organizations. That list of targets appears to directly contradict the company’s claims that it licenses its hacking tools to governments and law enforcement agencies only to target terrorists and major criminals. 

NSO called the investigation exaggerated and baseless. An attorney for the company also said that “NSO does not have insight into the specific intelligence activities of its customers.” NSO Group CEO Shalev Hulio told The Post that some of the allegations were “disturbing” and pledged to investigate. 

The story lays bare the immense power of NSO’s hacking tools, against which victims were essentially helpless to protect themselves. Amnesty International Security Lab researcher Claudio Guarnieri compared his role in the forensic investigations of infected devices to a doctor confronting the Black Plague without medications. “Primarily I’m here just to keep the death count,” he said. 

The project will roll out throughout this week. Today’s installment reveals that numerous iPhones were successfully hacked.

NSO Group’s spyware can infect iPhone users even with the latest version of Apple’s iOS software, Craig Timberg, Reed Albergotti and Elodie Gueguen report. The hacks come despite an Apple marketing pitch that iOS devices have superior privacy and security in comparison to its industry rivals.

In all, researchers from Amnesty’s Security Lab found 23 iPhones that showed signs of a successful Pegasus infection and 11 showing signs of an attempted hack.

Apple defended the security of its software in a statement. “Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals, said Ivan Krstić, the company’s head of security engineering and architecture. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”

Chinese cybersecurity regulators are stepping up their investigation of ride-share giant Didi.

They announced an on-site cybersecurity inspection of the company, the Associated Press reports. The move comes two weeks after Didi was banned from Chinese app stores after China’s cyberspace regulator said it “illegally collected and used users’ personal information” in a “grave violation of law and regulation.”

Regulators previously said they’d conduct a cybersecurity review of the company.

Didi is not the only Chinese tech giant that regulators are targeting. TikTok owner ByteDance has blocked new user registrations for news aggregator Jinri Toutiao at the behest of Chinese regulators, Reuters reports. ByteDance indefinitely postponed its plans to sell shares of its stock overseas after government officials told it to heighten its data security practices, according to the Wall Street Journal.

The Telegram messaging app’s encryption is vulnerable to hacks, experts say.

Researchers discovered four vulnerabilities in Telegram ranging from “technically trivial and easy to exploit to more advanced and of theoretical interest,” CyberScoop’s Tim Starks writes. The company said it made updates to fix the vulnerabilities.

The vulnerabilities could have allowed hackers to change the order of Telegram messages but not to read them. Telegram is one of the world’s most popular apps, surpassing 500 million monthly active users in January.

“For most of its 570 million users the immediate risk is low, but the vulnerabilities highlight that Telegram’s proprietary system falls short of the security guarantees enjoyed by other, widely deployed cryptographic protocols,” according to a summary by Swiss university ETH Zurich, whose cryptographers were part of the team that found the vulnerabilities.

Global cyberspace

Foreign actors will seek to interfere in next Canada election, spy agency says (Reuters)

UK court allows lawsuit against Dechert over Indian hacking allegations (Raphael Satter)


  • A House Intelligence Committee panel holds a hearing on microelectronics security and innovation on Tuesday at 10 a.m. 
  • The House Committee on Small Business holds a hearing on small businesses’ cybersecurity on Tuesday at 10 a.m.
  • A House Energy and Commerce Committee panel holds a hearing on ransomware on Tuesday at 10:30 a.m. 
  • The Senate Intelligence Committee holds a hearing on President Biden’s nominations of officials to top posts on Tuesday at 2:45 p.m.
  • The Senate Committee on Environment and Public Works holds a hearing on cybersecurity vulnerabilities in physical infrastructure on Wednesday at 10 a.m.
  • The Atlantic Council hosts an event on Russia and cybercrime on Thursday at 1 p.m.

Secure log off