Biden Administration, Allies Attribute Microsoft Exchange Hack to China

The Biden administration and a group of allies on Monday attributed the Microsoft Exchange server attack that impacted tens of thousands of customers with “high confidence” to hackers affiliated with the Chinese government. 

In March, Microsoft announced it discovered a threat actor the company believed to be operating out of and sponsored by China exploiting previously unknown vulnerabilities in its system. The attribution by the Biden administration and a group of allies including the European Union, the North Atlantic Treaty Organization, and the Five Eyes intelligence alliance goes deeper on this assertion: according to the Monday announcement, Beijing’s Ministry of State Security (MSS) has relied on contract hackers who conduct cyber operations like ransomware attacks and cyber-enabled extortion around the world for financial gain. 

According to a senior administration official, who spoke to reporters on condition of anonymity Sunday night, the use of contract hackers as well as the scope and scale of the Microsoft incident was “eye-opening” to the administration. The FBI, the National Security Agency, and the Cybersecurity and Infrastructure Security Agency in an advisory detailed techniques used by the hackers in the Microsoft attack and in others.

Unlike the SolarWinds case, when the White House sanctioned a swath of Russian entities in response to the hack that affected several government agencies, the Biden administration did not announce retaliatory actions against China apart from the vocal criticism. The senior administration official emphasized that the main thrust of the criticism is to make clear to China that as long as malicious cyber activities continue, countries around the world will unite in opposition to them. But the official said the administration is not ruling out further actions to hold China accountable. 

After delivering remarks on the economy, President Joe Biden said investigators are still determining exactly what happened when asked by a reporter why “naming and shaming” but not sanctions is effective. Later, when asked during the daily press briefing whether the U.S. declined to employ sanctions against China due to potential economic blowback the U.S. might face, Press Secretary Jen Psaki said the Biden administration is not holding back. 

“We are not allowing any economic circumstance or consideration to prevent us from taking actions where warranted and also we reserve the option to take additional actions where warranted as well,” Psaki said. “This is not the conclusion of our efforts as it relates to cyber activities with China or Russia.” 

Rep. Jim Langevin, D-R.I., chairman of the House Armed Services cyber and innovative tech subcommittee and member of the Cyberspace Solarium Commission, commended the Biden administration in a statement for bringing together allies to expose malicious activity. But Langevin also said it was his “hope that attribution could have come sooner.” 

“Unfortunately, the Chinese Community Party has shown a consistent willingness to conduct expansive cyber campaigns, and the exploitation of Microsoft Exchange Server will surely not be the last we see from them,” Langevin said. “When the time comes, we must be prepared to once again marshal the international community against China’s destabilizing operations and work towards building a safe cyberspace for all.”

The senior administration official said the three-month lag time between Microsoft announcing the hack and announcing attribution came down to wanting to ensure confidence in the assessment as well as a desire to bring in allies to help send China a message. Psaki added the effort to unite allies came at the direction of the president. 

Concurrent with the Monday announcement, the Justice Department said a federal grand jury in California returned an indictment, which was unsealed Friday, charging four Chinese nationals with a conspiracy to hack into computer systems of dozens of victims including companies, universities, and government entities—both in the U.S. and abroad—between 2011 and 2018. The four hackers were working for a branch of the MSS, according to DOJ.