The White House and its western allies have accused the Chinese government of teaming up with criminal gangs to commit widespread cyber attacks, including one on Microsoft this year that affected tens of thousands of organisations.
The accusation came as the US Justice department unsealed an indictment alleging that four Chinese nationals affiliated with the Ministry of State Security had overseen a separate campaign to infiltrate companies, universities and government bodies in the US and overseas between 2011 and 2018.
Antony Blinken, US secretary of State, said China’s actions represented “a major threat to” economic and national security. “Responsible states do not indiscriminately compromise global network security nor knowingly harbour cyber criminals – let alone sponsor or collaborate with them,” he added.
A senior administration official said the US had a “high degree of confidence” that attackers on the MSS payroll had carried out an offensive on Microsoft’s Exchange email application, which was disclosed in March. One cyber security researcher claimed it hit at least 30,000 organisations, including businesses and local governments. The White House did not state which particular group of hackers or contractors were responsible for the attacks.
The US move to condemn China on Monday was supported by a coalition of allies, including those in Europe and Nato who have historically been wary of publicly criticising Beijing. Diplomats hope that by exposing the MSS’ links with criminal hackers, they will persuade the Chinese government to sever its links with these groups. However, it is unclear what action will be taken if China fails to comply.
The European Council said that the Microsoft Exchange hack constituted “irresponsible and harmful behaviour” which had resulted in security risks and “significant economic loss” for government institutions and private companies across Europe.
Nato said it noted that cyber threats to the alliance were increasingly “complex, destructive and coercive”, and called on all states, “including China” to uphold their commitments to act responsibly in cyber space.
The UK said for the first time on Monday that it considers two Chinese hacking groups, APT 40 and APT 31, to be linked to China’s MSS.
British officials have been concerned by the increasing recklessness of Chinese-backed cyber activity, and have been raising their objections privately with Beijing for the past three years, to no effect. Using criminal gangs to carry out cyber espionage and intellectual property theft has made it easier for the Chinese government to deny their involvement in these activities — a problem which western allies now want to confront.
The joint action marked a new front in Washington’s battle against the rising tide of ransomware attacks, which have largely been blamed until now on gangs believed to be operating out of Russia.
Meanwhile, according to the DoJ indictment, four Chinese nationals carried out a hacking campaign over seven years targeting aviation, defence, education, government, healthcare, biopharmaceutical sectors in a range of countries including the US, Canada, Germany, Saudi Arabia and the UK.
It alleged that hackers stole information on sensitive technologies such as autonomous vehicles and commercial aircraft servicing, as well as infectious-disease research on Ebola, MERS, and HIV. This group has previously been referred to as APT 40, also known as “Bronze”.
The indictment named three Chinese nationals — Ding Xiaoyang Cheng Qingmin and Zhu Yunmin — as state security officials in Hainan province who allegedly set up a front company to hide the government’s involvement in the hacking operation.
A fourth man, Wu Shurong, was named as a hacker who allegedly created malware, hacked into computer systems operated by foreign governments, companies and universities, and supervised other members of the hacking team.
The threat posed by cyber attacks has proliferated during the pandemic as hackers exploited vulnerabilities exposed by employees working remotely.
The US has come under increasing pressure to take action. President Joe Biden warned his Russian counterpart Vladimir Putin this month that Moscow would face consequences if it failed to act against ransomware attackers, who typically seize a company’s data or systems and demand payment to release it.
Biden’s threat followed highly disruptive ransomware attacks on companies including Colonial Pipeline, which was forced to close temporarily, and JBS, the world’s largest meat processor.
US officials also said they were “surprised” to find that individuals affiliated with China’s MSS were behind a ransomware hit in which hackers demanded millions of dollars from an unnamed US company.
The US justice department charged five Chinese citizens last September for hacking more than 100 companies globally as part of a state-backed group known as APT41.