How to know you’re the target of Chinese state-sponsored hackers, according to US intelligence

The US, UK, EU, and NATO linked a large-scale hack of Microsoft Exchange to individuals affiliated with China’s government. …

The US and some of its allies, including the UK, EU, and NATO, issued statements today (July 19) linking—with varying degrees of forcefulness—a large-scale hack of Microsoft that took place earlier this year to individuals affiliated with China’s government.

Why did the US accuse China of hacking Microsoft?

In March, Microsoft attributed the hack to “a highly skilled and sophisticated actor” it called “Hafnium,” which it said “operates from China.” The group exploited vulnerabilities in Microsoft’s non-cloud Exchange Server software, which the company wasn’t aware of, to steal information from the private-sector businesses that use the service.

A statement from the White House accused “with a high degree of confidence…malicious cyber actors affiliated with” China’s Ministry of State Security (MSS) of conducting “cyber espionage operations utilizing the zero-day vulnerabilities in Microsoft Exchange Server disclosed in early March 2021.”

At the same time, the US Department of Justice indicted four Chinese individuals it accused of “coordinating, facilitating, and managing computer hackers and linguists at…MSS front companies to conduct hacking for the benefit of China and its state-owned and sponsored instrumentalities.”

What do other countries say about the Microsoft Exchange hack?

The other statements published today endorse a similar message—that China is an irresponsible actor in cyber-space—but reflect the different attitudes that exist among democratic countries in relations to the Chinese government.

Short of making its own accusations, NATO merely “acknowledge[s] national statements by allies…attributing responsibility for the Microsoft Exchange Server compromise to the People’s Republic of China,” and reiterates its “willingness to maintain a constructive dialogue with China.”

The EU, which has tried to distance itself from the US-China trade war and maintain “strategic autonomy” in its relations with Beijing, attributes the Microsoft hack (pdf) to actors “from the territory of China,” while calling on the Chinese government to do more to stop cyber-attacks, and to adhere to “the norms of responsible state behavior.” It does not attribute the Microsoft hack to Chinese state-backed actors.

The UK, which has gravitated closer to the US position on China in the past year, accuses Beijing of “being behind activity known by cyber security experts as ‘APT40‘ and ‘APT31,’” two groups of hackers based in China known to be “advanced persistent threats.” It’s a step the UK government has been reluctant to take so far (paywall).

Meanwhile, Canada said it is “confident” that MSS “is responsible for the widespread compromising of the exchange servers.” New Zealand “confirmed Chinese state-sponsored actors were responsible” for the hack, and linked APT40 to MSS. Japan and Australia endorsed similar messages.

In an email statement to Quartz, a spokesperson for the Chinese mission to the EU said “the allegations in the statements by the EU and NATO are not based on facts and evidence, but speculation and groundless accusations.”

The spokesperson pointed to a “certain country in the West[‘s]” record of “massive and indiscriminate eavesdropping across the world, even on its close allies,” in a likely reference to the US National Security Agency’s PRISM program, which was revealed by Edward Snowden. (The US allegedly spied on leaders of allied countries, including Germany and France.)

They said “China is a major victim of cyber attacks.”

How to protect servers from Chinese state-backed hacking

In addition to the statement, three US intelligence agencies published a list of “over 50 tactics, techniques, and procedures” they allege the “Chinese state-sponsored cyber actors used when targeting US and allied networks.” They include:

Phishing: Hackers send bogus emails to employees of a company asking for their login credentials, often under the guise of being a member of the IT team.

? Watering hole campaigns: Hackers buy the rights to domain names that contain common misspellings of popular websites (e.g. amzn.com). They host viruses on the site, and wait for visitors to come and be infected.

?️‍♂️ Active scanning: Hackers use bots to gather up publicly available information about a company’s networks (e.g. IP addresses, open ports, employee email lists) which allow them to better plan and target their attacks.

☁️ Attacking from the cloud: Hackers use cloud service providers to launch their attacks from servers spread all over the world, to make their offensives harder to thwart.

The full list is here.

Nicolas Rivero contributed reporting.

Live Updates for COVID-19 CASES