By Zolan Kanno Youngs and David E. Sanger
WASHINGTON — The Biden administration Monday (19) formally accused the Chinese government of breaching Microsoft email systems used by many of the world’s largest companies, governments and military contractors, as the United States joined a broad group of allies, including all NATO members, to condemn Beijing for cyberattacks around the world.
The United States accused China for the first time of paying criminal groups to conduct large-scale hackings, including ransomware attacks to extort companies for millions of dollars, according to a statement from the White House. Microsoft had pointed to hackers linked to the Chinese Ministry of State Security for exploiting holes in the company’s email systems in March. The US announcement Monday morning was the first suggestion that the Chinese government hired criminal groups to hack tens of thousands of computers and networks around the world for “significant remediation costs for its mostly private sector victims,” according to the White House.
Secretary of State Antony Blinken said in a statement Monday that China’s Ministry of State Security “has fostered an ecosystem of criminal contract hackers who carry out both state-sponsored activities and cybercrime for their own financial gain.”
“These contract hackers cost governments and businesses billions of dollars in stolen intellectual property, ransom payments, and cybersecurity mitigation efforts, all while the MSS had them on its payroll,” Blinken said.
Condemnation from NATO and the European Union is unusual, because most of their member countries have been deeply reluctant to publicly criticize China, a major trading partner. But even Germany, whose companies were hit hard by the hacking of Microsoft Exchange — email systems that companies maintain on their own, rather than putting them in the cloud — cited the Chinese government for its work.
“We call on all states, including China, to uphold their international commitments and obligations and to act responsibly in the international system, including in cyberspace,” according to a statement from NATO.
Despite the broadside, the announcement lacked sanctions similar to ones that the White House imposed on Russia in April, when it blamed the country for the extensive SolarWinds attack that affected US government agencies and more than 100 companies. (The Justice Department on Friday (16) did unseal an indictment from May charging Chinese residents with a campaign to hack computer systems of dozens of US companies, universities and government entities between 2011 and 2018. The hackers developed front companies to hide any role the Chinese government had in backing the operation, according to the Justice Department.)
By imposing sanctions on Russia and organizing allies to condemn China, the Biden administration has delved deeper into a digital cold war with its two main geopolitical adversaries than at any time in modern history.
While there is nothing new about digital espionage from Russia and China — and efforts by Washington to block it — the Biden administration has been surprisingly aggressive in calling out both countries and organizing a coordinated response.
But so far, it has not yet found the right mix of defensive and offensive actions to create effective deterrence, most outside experts say. And the Russians and the Chinese have grown bolder. The SolarWinds attack, one of the most sophisticated ever detected in the United States, was an effort by Russia’s lead intelligence service to alter code in widely used network-management software to gain access to more than 18,000 businesses, federal agencies and think tanks.
China’s effort was not as sophisticated, but it took advantage of a vulnerability that Microsoft had not discovered and used it to conduct espionage and undercut confidence in the security of systems that companies use for their primary communications. It took the Biden administration months to develop what officials say is “high confidence” that the hacking of the Microsoft email system was done at the behest of the Ministry of State Security, the senior administration official said, and abetted by private actors who had been hired by Chinese intelligence.
The National Security Agency, FBI and Cybersecurity and Infrastructure Security Agency also issued an advisory Monday warning that Chinese hacking presented a “major threat” to the US and its allies. China’s targets include “political, economic, military and educational institutions, as well as critical infrastructure.”
Criminal groups hired by the government aim to steal sensitive data, critical technologies and intellectual properties, according to the advisory.
The FBI took an unusual step in the Microsoft hacking: In addition to investigating the attacks, the agency obtained a court order that allowed it to go into unpatched corporate systems and remove elements of code left by the Chinese hackers that could allow follow-up attacks. It was the first time the FBI acted to remediate an attack as well as investigate its perpetrators.
-New York Times