UK blames China for Microsoft Exchange Server hack

The UK government has formally laid the blame for the Microsoft Exchange Server cyberattack at the feet of China. 

On Monday, the government joined others — including the victim company itself, Microsoft — in claiming the cyberattack was the work of Chinese state-sponsored hackers, namely Hafnium, an advanced persistent threat (APT) group. 

Foreign Secretary Dominic Raab deemed the attack “by Chinese state-backed groups” as a “reckless but familiar pattern of behavior.”

“The Chinese Government must end this systematic cyber sabotage and can expect to be held [to] account if it does not,” Raab added. 

Suspicious activity linked to discovering four zero-day vulnerabilities in on-prem Microsoft Exchange Servers was discovered early this year. 

In March, the Redmond giant issued emergency patches to mitigate the threat to its customers; however, the vulnerabilities — CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 — were exploited, compromising an estimated 30 000 organizations in the US alone. 

The European Banking Authority was one of the most high-profile victims of the attack. 

Following the incident, the malware was discovered on over 2000 machines belonging to businesses in the United Kingdom.

The UK government believes the attack was likely conducted for “large-scale espionage”, including the theft of information and intellectual property. 

Furthermore, UK officials say that the Chinese Ministry of State Security is backing two other groups, known as APT40 (TEMP.Periscope/TEMP.Jumper/Leviathan) and APT31 (Judgement Panda/Zirconium/Red Keres). 

According to the National Cyber Security Centre (NCSC), APT40 is responsible for targeting the maritime industry and naval contractors in the United States and Europe, and the agency assesses with high confidence that the Chinese Ministry of State Security is backing the group, which “operates to key Chinese State Intelligence requirements.”

In addition, the NCSC says that APT31 is responsible for targeting government and political figures, including the Finnish Parliament, in 2020.

“[The] NCSC is almost certain that APT31 is affiliated to the Chinese State and likely that APT31 is a group of contractors working directly for the Chinese Ministry of State Security,” the agency added. 

“The Chinese government has ignored repeated calls to end its reckless campaign, instead [of] allowing its state-backed actors to increase the scale of their attacks and act recklessly when caught,” UK officials commented. “This coordinated action today sees the international community once again urge the Chinese government to take responsibility for its actions and respect the democratic institutions, personal data, and commercial interests of those with whom it seeks to partner.”

The government has also called on China to desist in its alleged attempts to conduct or support IP and trade secrets theft through cyberattacks. In addition, the White House has also issued a statement criticizing China’s alleged behavior. 

Previous and related coverage

• Everything you need to know about the Microsoft Exchange Server hack
  
  
• Microsoft Exchange Server zero-day attacks: Malicious software found on 2,300 machines in the UK
  
  
• Microsoft Exchange Server attacks: “They’re being hacked faster than we can count”, says security company.
  
  

---

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

---