UK and allies blame Chinese government for orchestrating Microsoft hack

The cyber attacks took place in early 2021, targeting Microsoft Exchange (Microsoft’s email software) servers. A group known as Hafnium compromised Microsoft Exchange, allowing it to penetrate into the IT networks of its targets. The attack was so widespread that at the time, the White House National Security Council formed an emergency response group to deal with the attack.

Microsoft said that by end of March, 92 per cent of customers had been patched against the vulnerability.

Now, according to British officials, the attack was very likely to have been carried out to enable “large-scale espionage”, including stealing personal information and intellectual property. The National Cyber Security Centre (NCSC)  is “almost certain” that the compromise was initiated and exploited by actors backed by the Chinese state.

“The cyber-attack on Microsoft Exchange Server by Chinese state-backed groups was a reckless but familiar pattern of behaviour,” said Dominic Raab, the Foreign Secretary. “The Chinese government must end this systemic cyber sabotage and can expect to be held to account if it does not.”

Paul Chichester, NCSC director of operations, added: “The attack on Microsoft Exchange servers is another serious example of a malicious act by Chinese state-backed actors in cyberspace. This kind of behaviour is completely unacceptable, and alongside our partners we will not hesitate to call it out when we see it.”

The UK is also attributing the Chinese ministry of state security as being behind activity referred to as “APT40” and “APT31”. The APT40 group has been blamed for activities including targeting maritime industries and naval defence contractors, while APT31 has been accused of targeting government entities and individual politicians.

The White House has also laid blame for the attack at China’s door. A senior Biden administration official said that hackers affiliated with China’s ministry of state security were responsible for the operation. This is the first time the US government is formally attributing the campaign to the Chinese government. Microsoft researchers had previously attributed the operation to actors based China, but did not detail a state connection.

A senior official said: “[the department] is using, knowledgeably, criminal contract hackers to conduct unsanctioned cyber operations globally.”

The EU joined the UK and US in blaming the attacks on hackers based in China, although it did not explicitly link them to the Chinese government.

EU high representative Josep Borrell said: “The compromise and exploitation of the Microsoft Exchange server undermined the security and integrity of thousands of computers and networks worldwide, including in the member states and EU institutions. It allowed access to a significant number of hackers that have continued to exploit the compromise to date.”

“This irresponsible and harmful behaviour resulted in security risks and significant economic loss for our government institutions and private companies, and has shown significant spill-over and systemic effects for our security, economy and society at large.”

NATO, Japan, Australia, Canada, and New Zealand are also expected to comment on the cyber attack today and similarly state that it can be traced back to Chinese state-based or state-backed actors. It will be the first time NATO publicly attributes this type of activity to the Chinese government.