On Monday, July 19, three cybersecurity announcements were made:
- In response to the massive Microsoft Exchange Server hack, the U.S., U.K., Canada, Australia, New Zealand, Norway, Japan, the E.U., and NATO formally accused the Chinese government of engaging in harmful cyberactivity.
- The U.S. Department of Justice published its indictment of four Chinese hackers associated with the Chinese government, known as APT40.
- The FBI, CSIS, and the NSA published a cybersecurity advisory cataloging the fifty tactics, techniques, and procedures used by Chinese state-sponsored hackers.
Then, on Tuesday, the CSIA and the FBI published a report on state-sponsored international hacking groups that included accusations that the Chinese state-backed hackers infiltrated thirteen oil and natural gas pipeline operators between 2011 and 2013.
In the next few articles, we’ll look at the details and implications of this summer’s cybersecurity blitz.
The Microsoft Exchange Server Hack that Hit 30,000 Organizations
In March 2021 Microsoft was alerted to a zero-day hack that exploited four software vulnerabilities in its Exchange Server. Microsoft Exchange Server is Microsoft’s email and calendar server application (or software) that is used by many organizations for their email, calendar, messaging, and contacts. If you have an email client, like Outlook, on your desktop or phone, Exchange Server is the back-end application that interfaces with your email client to send and receive data over the web. Think of Exchange Server as the post office through which data for emails, calendars, messaging, and tasks are sent and received to your computer, phone, or any other device. But unlike the post office, it can also house the data, which is how you are able to sync data on your devices. The most popular competitor to Microsoft Exchange Server is Google G-Suite.
This means, if a company uses Microsoft Exchange as its email and calendar server, then all of the company’s correspondence is accessible through the exchange server. In the U.S., the hack disproportionately affected small and medium-sized businesses as well as some state and local governments. Globally, the hack affected businesses and some governing bodies. What was so brazen about this hack was how wide-reaching and indiscriminate it was. The massive SolarWinds hack by Russian hackers went undetected for longer than the Exchange server hack but was much more targeted — about two hundred organizations were affected. The Microsoft Exchange Hack targeted some 30,000 businesses and organizations.
Speaking to the Wall Street Journal, Kellen Dwyer, who served last year as deputy assistant attorney general in the Justice Department’s national security division, said that the SolarWinds attack “was an espionage attack, and one that was relatively cautious about imposing collateral damage.”
Meanwhile, said Mr. Dwyer, the Chinese actors who allegedly engaged in the Microsoft Exchange hack grabbed vast swaths of data and “indiscriminately scanned the entire internet to find unpatched vulnerabilities.” He said: “That certainly should be a norm that we are willing to define and meet with sanctions.”Dustin Volz and Aruna Viswantha, “Biden Administration Blames Hackers Tied to China for Microsoft Cyberattack Spree” at Wall Street Journal
As a result, on Monday the U.S., U.K., Canada, Australia, New Zealand, Norway, Japan, the E.U., and NATO accused the Chinese government of the Exchange hack after determining “with a high degree of certainty” that the group that orchestrated the attack, known as Hafnium, works with the Ministry of State Security, the Chinese government’s security arm. Furthermore, the MSS apparently permits their contracted hackers to engage in illegal behavior such as ransomware attacks, cryptojacking, and extortion. U.S. Secretary of State Antony Blinken’s official statement says:
The United States and countries around the world are holding the People’s Republic of China (PRC) accountable for its pattern of irresponsible, disruptive, and destabilizing behavior in cyberspace, which poses a major threat to our economic and national security. The PRC’s Ministry of State Security (MSS) has fostered an ecosystem of criminal contract hackers who carry out both state-sponsored activities and cybercrime for their own financial gain. In addition, the United States government, alongside our allies and partners, has formally confirmed that cyber actors affiliated with the MSS exploited vulnerabilities in Microsoft Exchange Server in a massive cyber espionage operation that indiscriminately compromised thousands of computers and networks, mostly belonging to private sector victims.“Responding to the PRC’s Destabilizing and Irresponsible Behavior in Cyberspace,” Press Statement, U.S. Department of State
According to the WSJ, the announcement on Monday was part of a larger condemnation of Chinese state-sponsored cyberattacks that includes the U.S., the U.K., the E.U., Canada, Australia, New Zealand, Japan, Norway, and NATO. It was the first time NATO had formally accused the Chinese government of state-sponsored illegal cyber activity.
This isn’t the first time the state-backed hacker group, called Hafnium by Microsoft has infiltrated organizations. Previously, Hafnium hacked infectious disease researchers, law firms, and universities. For the Microsoft hack, Hafnium found four vulnerabilities in Microsoft’s Exchange software that they used to read emails and install unauthorized software. This is known as a zero-days hack or zero-day vulnerability. According to author and cybersecurity journalist Nicole Perlroth in her book They Tell Me This Is How the World Ends,
“For the unindoctrinated: zero-days offer digital superpowers. They are a cloak of invisibility…At the most basic level a zero-day is a software or hardware flaw for which there is no existing patch. They got their name because when a zero-day flaw is discovered, the good guys have zero days to fix them.”Nicole Perlroth, This Is How They Tell Me the World Ends: The Cyberweapons Arms Race, page 30
A few days before Microsoft released a patch to fix the problems in the Exchange software, the hackers used automated software to scan the internet for Exchange servers and infected them with a web shell, malicious code that makes it easy for hackers to remotely access the server. As one Wired article put it, it was like leaving thousands of keys under door mats so they could come back and figure out who has something worth stealing. It also makes it easier for others to access the server. Wired reports that at least one ransomware group took advantages of the Exchange server hack.
To get access to the Exchange servers, the hackers needed the administrators’ login information. A Wall Street Journal exclusive published in April showed that the hackers likely mined troves of personal information that they had access to:
Among the potential sources of the personal data is China’s vast archive of likely billions of personal records its hackers stole over the past decade. The hackers may have mined that to discover which email accounts they needed to use to break into their targets, according to people familiar with the matter.Dustin Volz and Robert McMillan, “Suspected China Hack of Microsoft Shows Signs of Prior Reconnaissance” at Wall Street Journal
All countries keep an eye on each other, particularly governing bodies, in the name of national security through cyberespionage. Cyber spying has its own set of ethical issues. But where the Communist Party of China has run afoul of global norms is by stealing intellectual property, extorting private businesses with ransomware attacks, cryptojacking, theft, and blackmail and doing so at a massive scale.