China Officially Accused of Microsoft Exchange Attacks
The US and Allies Are Officially Accusing China of This Year’s Widespread Microsoft Exchange Hacking Campaign.
The US and its allies, including the European Union, the United Kingdom, and NATO, are now officially blaming China for the widespread Microsoft Exchange attacks campaign that took place earlier this year.
The mentioned cyberattacks targeted more than a quarter of a million Microsoft Exchange servers belonging to tens of thousands of organizations worldwide.
According to a briefing by the White House, the Biden Administration is attributing the attacks to the People’s Republic of China (PRC).
The United States has long been concerned about the People’s Republic of China’s (PRC) irresponsible and destabilizing behavior in cyberspace. Today, the United States and our allies and partners are exposing further details of the PRC’s pattern of malicious cyber activity and taking further action to counter it, as it poses a major threat to U.S. and allies’ economic and national security.
An unprecedented group of allies and partners – including the European Union, the United Kingdom, and NATO – are joining the United States in exposing and criticizing the PRC’s malicious cyber activities.
The PRC’s pattern of irresponsible behavior in cyberspace is inconsistent with its stated objective of being seen as a responsible leader in the world. Today, countries around the world are making it clear that concerns regarding the PRC’s malicious cyber activities is bringing them together to call out those activities, promote network defense and cybersecurity, and act to disrupt threats to our economies and national security.
The NCSC (The National Cyber Security Centre) also stated that Chinese state-backed actors were responsible for gaining access to computer networks around the world via Microsoft Exchange servers.
The attack on Microsoft Exchange servers is another serious example of a malicious act by Chinese state-backed actors in cyberspace.
This kind of behaviour is completely unacceptable, and alongside our partners we will not hesitate to call it out when we see it.
It is vital that all organisations continue to promptly apply security updates and report any suspected compromises to the NCSC via our website.
NSA, CISA, and the FBI also issued a joint advisory that is containing more than 50 tactics, techniques, and procedures (TTPs) that Chinese state-sponsored cyber actors used in attacks targeting the US and allied networks.
Back in early March, Microsoft disclosed four zero-day vulnerabilities that were actively exploited in attacks targeting on-premises Microsoft Exchange servers.
These vulnerabilities, which became collectively known as ProxyLogon, were exploited in attacks aimed against organizations from multiple industry sectors worldwide.
The threat actors were observed deploying web shells, cryptomining malware, and DearCry and Black Kingdom ransomware payloads on compromised Exchange servers.
Microsoft declared at the time that they believe a Chinese state-sponsored hacking group known as Hafnium might be behind these attacks.
Historically, Hafnium primarily targets entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.
While Hafnium is based in China, it conducts its operations primarily from leased virtual private servers (VPS) in the United States.