Close-up view of Microsoft logo on its website showing cyber attacks on Microsoft Exchange

US & Intelligence Allies Formally Accuse Chinese State-Backed Hackers of the Microsoft Exchange Cyber Attacks, but Stop Short of Sanctions

The massive hack of the Microsoft Exchange email server software that took place early this year is estimated to have hit tens of thousands of victims, causing disproportionate chaos for smaller businesses. The Biden administration has formally declared that Chinese state-backed APT groups are to blame. While the attack was not considered a major national security threat (at least not on par with the SolarWinds breach), it was devastating to many American small businesses ill-equipped to respond to cyber attacks of this level of sophistication.

While the administration is willing to publicly assign blame to China, it appears to be stopping short of taking any concrete actions. Though it did announce that charges were filed against four Chinese nationals alleged to be associated with China’s Ministry of State Security, it is not moving forward with the same sort of sanctions that were levied against Russia for its attempted interference in the 2020 elections.

Chinese cyber attacks prompt accusations, but little action

The Microsoft Exchange cyber attacks unfolded primarily in the first two months of 2021. The breach was discovered in early January, but was not widely reported until Microsoft issued a patch on March 2. Just prior to and just after the release of the patch, other hackers that had caught wind of the exploit piled in and caused untold damage mostly to small businesses that cannot afford Microsoft’s more advanced email products or proper cybersecurity and may not have been keeping up with the news.

The original breach in January, which was aimed at compromising United States policy think tanks, has been traced back to Chinese threat groups believed to be state-sponsored. The vulnerability had been known to a handful of security researchers before it was exploited, leading to some speculation that it was somehow stolen from these researchers by the threat groups. Microsoft was swift to accuse Chinese hackers of being responsible.

In total there were about 250,000 victims globally, 30,000 in the US alone. The vulnerability was essentially a “skeleton key” to the Microsoft Exchange software, allowing attackers to walk right into servers running it. Once inside attackers were able to steal credentials and escalate, in many cases stealing valuable data and deploying ransomware.

The attack was more of an issue for small businesses because Microsoft Exchange is more commonly used by smaller organizations; large companies and government agencies that use Microsoft products tend to use Microsoft 365 cloud-based services and email systems, which were not impacted by this particular vulnerability. The patch was also more complex than usual, requiring some level of IT knowledge on the part of the exposed organizations as the entire “Active Directory” of email accounts needed to be updated.

The White House’s recent announcement is simply a condemnation of the actions of the Chinese hackers, described as a “pattern of irresponsible behavior in cyberspace.” One interesting aspect is that the administration has accused Chinese state-backed hackers of using ransomware and extortion schemes against Western targets for financial gain, something the country’s APT groups were not particularly known to do prior to this year.

The limit of the current consequences for the cyber attacks appears to be charges against four individuals associated with China’s MSS, who are accused of targeting trade secrets and confidential business information from dozens of organizations. Though the administration made no mention of sanctions, it has issued a separate advisory to American businesses about Hong Kong’s deteriorating commercial and investment environment. The announcement was also followed up by NATO’s first public condemnation of China’s hacking activities, asking Beijing to act responsibly in cyberspace and honor its international commitments.

While the response may seem tepid, Richard Blech (Founder and CEO, XSOC Corp) points out that it represents an escalation in what has been a quiet state of “cyber warfare” between the two countries: “The United States’ plan, along with other nations, to formally condemn the actions of the Chinese government regarding its cyber activities is welcomed news. It is long overdue … The losses that have resulted from the cybertheft of technology by the Chinese can be estimated in the billions. Before now, many nations have been reluctant to openly level accusations against China due to political implications or uncertainty … The state of the situation right now is cyberwarfare, despite any notions from other parties that may assert otherwise … The formal condemnation and the charges against the MSS officials should only be the first steps to correctly addressing the issue. The state-sanctioned cyber attacks/cyber terrorism/economic espionage that China seemingly openly engages in requires two things:

1. Aggressive data protection measures and solutions that can mitigate the vulnerabilities that are being exploited by the hackers backed by the Chinese government to compromise to target computer systems that contain sensitive intellectual property, economic, political, and military information on the part of the United States. This is not just a technological approach but a political/legislative approach as well.

2. A resounding show of force that counters such cyber attacks with repercussions that China will find difficult to ignore/overcome/cast off.”

Microsoft Exchange attack hits some government agencies, but not on the scale of SolarWinds

The Microsoft Exchange cyber attacks were not known to compromise any federal agencies, but did hit some state and local government offices as well as some military contractors. It is unclear exactly how much of that is attributable to China, which seemed to be focused on intellectual property theft, and how much was part of the “gold rush” of cyber criminals that began in late February as word of the vulnerability began circulating online.

The Microsoft Exchange incident has prompted the formation of a new partnership to combat cyber attacks from China, however. Japan, New Zealand and the European Union joined the US in forming a new working group that will share intelligence on malicious cyber activities believed to originate from Beijing.

Joseph Carson, chief security scientist and Advisory CISO at ThycoticCentrify, agrees with Blech’s assessment that retaliation will be required to see any real change in behavior: “While the accusation points the finger at China, it does not bring enough pressure to change China’s increasing cyber offensive campaigns.  Countries must collaborate collectivity to hold nations accountable for cyber attackers that operate within their borders. Otherwise we will continue to see an escalation in cyber attacks without any action.”

And Hitesh Sheth, President and CEO at Vectra, sees this as a potential first step to establishing formal online “rules of engagement” that countries will be expected to adhere to: “The most positive development here is the possible formation of an allied coalition to establish and defend norms in cyberspace. We suffer damage because the cyber sphere lacks the governing protocols that limit, say, chemical and nuclear warfare. If the US can lead a NATO-style coalition of influential nations to stabilize cyberspace, it will likely have long-term security benefits. Government’s primary role in cybersecurity should be to set policies for a more secure digital world while the private sector innovates. This looks like a promising step in the right direction.”