The Biden administration and U.S. allies on Monday blamed the Chinese government for a sprawling web of cyberattacks, including a blizzard of hacks into Microsoft email servers in March and intrusions for which Beijing partnered with cyber criminals.
The announcement by the U.S., the European Union, NATO and five close allies comes as the Biden administration attempts to establish a global consensus on limitations around cyberattacks, including discouraging hacks of critical infrastructure and breaches of businesses designed to extort money or steal trade secrets.
Monday’s statements — which did not come with any publicly announced punishments or retaliations — also underscore how China’s aggressive digital army continues to wreak havoc while public attention largely focuses on the cyber threat from Russia.
Intelligence officials have concluded that China’s Ministry of State Security “uses criminal contract hackers to conduct unsanctioned cyber operations globally, including for their own personal profit,” a senior administration official told reporters on Sunday.
In some cases, the official said, Chinese hackers planted software on victims’ computers that silently generated units of cryptocurrency, a process known as mining. In other cases, cyber criminals working for Beijing have infected businesses with ransomware and demanded multimillion-dollar ransom payments, according to the official, who spoke anonymously per U.S. government policy.
Perhaps the most significant attack being attributed to Beijing is the massive series of intrusions into Microsoft Exchange servers that the tech giant disclosed in March. Those attacks, which exploited previously unknown digital flaws, breached tens of thousands of servers belonging to businesses and local governments and exposed them to a feeding frenzy of follow-up hacks by other groups.
The Biden administration has “high confidence” that Chinese cyber criminals hacked the Exchange servers “with the Ministry of State Security’s knowledge,” the senior administration official said.
The official described China’s “pattern of irresponsible behavior in cyberspace” as “inconsistent with its stated objectives of being seen as a responsible leader in the world.”
Chinese cyberattacks usually focus on stealing intellectual property from Western businesses so that Chinese companies can analyze and copy it. But the Ministry of State Security’s partnerships with profit-minded criminals may reflect a new strategy for Beijing.
“The use of criminal contract hackers … was really eye-opening and surprising for us,” the senior administration official told reporters.
The ransomware attacks conducted by Chinese government-affiliated hackers — one of which the official said involved “a large ransom request made to an American company” — also surprised the Biden administration.
As part of Monday’s announcement, the FBI, the NSA and DHS’ Cybersecurity and Infrastructure Security Agency released a report exposing more than 50 tactics and techniques associated with Chinese government hackers.
The senior administration official said the government-wide cyber upgrades mandated in a recent executive order from President Joe Biden would thwart many of these common attack methods.
Monday’s multilateral condemnation of Chinese hacking is meant to showcase the U.S.’ ability to recruit like-minded countries to declare certain behavior beyond the pale.
The U.K., Australia, Canada, New Zealand and Japan will join the Biden administration in criticizing China for its attacks, with more countries expected to echo them in the coming weeks. NATO’s participation marks the first time that it has called out the Chinese government in this way.
The breadth of the condemnations reflects “the degree to which countries increasingly recognize that there’s power in collective defense,” the senior administration official said.
But it remains unclear how even multilateral denunciations will alter the calculus for Beijing, which has found cyberattacks to be a potent tool for gathering intelligence, supporting its domestic industry and destabilizing foreign rivals.
The senior administration official described Monday’s announcement as part of a broader campaign, saying “no one action can change China’s behavior in cyberspace, and neither can just one country acting on its own.”
In the four and a half months since Microsoft revealed the Exchange hacks, some cyber experts have wondered why it was taking the U.S. so long to blame China, as private security experts quickly did. The senior administration official attributed the delay to the scope of the intrusions, the desire to fully understand China’s role and the need to recruit allies for a joint announcement.