US and allies officially accuse China of Microsoft Exchange attacks

US and allies, including the European Union, the United Kingdom, and NATO, are officially blaming China for this year’s widespread Microsoft Exchange hacking campaign.

These early 2021 cyberattacks targeted over a quarter of a million Microsoft Exchange servers, belonging to tens of thousands of organizations worldwide.

The Biden administration attributes “with a high degree of confidence that malicious cyber actors affiliated with PRC’s MSS conducted cyber espionage operations utilizing the zero-day vulnerabilities in Microsoft Exchange Server disclosed in early March 2021.”

“In some cases, we are aware that PRC government-affiliated cyber operators have conducted ransomware operations against private companies that have included ransom demands of millions of dollars,” the White House added.

“The attack on Microsoft Exchange software was highly likely to enable large-scale espionage, including acquiring personally identifiable information and intellectual property,” the UK National Cyber Security Centre (NCSC) also said today.

“The National Cyber Security Centre – which is a part of GCHQ – assessed that it was highly likely that a group known as HAFNIUM, which is associated with the Chinese state, was responsible for the activity.”

The UK added that the Chinese Ministry of State Security (MSS) is also behind Chinese state-backed hacking groups tracked as APT40 and APT31.

The NSA, CISA, and FBI also issued a joint advisory containing more than 50 tactics, techniques, and procedures (TTPs) that Chinese state-sponsored cyber actors have used in attacks targeting the US and allied networks.

The United States has joined countries around the world in condemning the PRC for its pattern of irresponsible, disruptive, and destabilizing behavior in cyberspace, which poses a major threat to our economic and national security. https://t.co/y5SWPj98p3

— Secretary Antony Blinken (@SecBlinken) July 19, 2021

 

CISA and the FBI also published indicators of compromise and TTPs to help organizations detect and remediate APT40 intrusions and established footholds within their networks.

The US Department of Justice also announced criminal charges against four MSS hackers (indictment here) regarding activities part of a multi-year campaign targeting governments around the world and organizations from critical sectors.

“The attack on Microsoft Exchange servers is another serious example of a malicious act by Chinese state-backed actors in cyberspace,” the EU and its Member States added in a separate statement issued today.

“This kind of behavior is completely unacceptable, and alongside our partners we will not hesitate to call it out when we see it.”

Abused to deploy ransomware and cryptominers

In early March 2021, Microsoft disclosed four zero-days actively being exploited in attacks targeting on-premises Microsoft Exchange servers.

The vulnerabilities (collectively known as ProxyLogon) were exploited in indiscriminate attacks against organizations from multiple industry sectors worldwide, with the end goal of stealing sensitive information.

Threat actors behind ProxyLogon attacker have been observed while deploying web shells, cryptomining malware, as well as DearCry and Black Kingdom ransomware payloads on compromised Exchange servers.

After Microsoft disclosed the attacks, Slovak internet security firm ESET discovered at least ten APT groups targeting vulnerable Exchange servers.

Microsoft said at the time that the Chinese state-sponsored hacking group known as Hafnium is behind these attacks.

“Historically, Hafnium primarily targets entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs,” Microsoft said.

“While Hafnium is based in China, it conducts its operations primarily from leased virtual private servers (VPS) in the United States.”