"The National Security Agency [NSA], Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI) assess that People’s Republic of China state-sponsored malicious cyber activity is a major threat to U.S. and Allied cyberspace assets. Chinese state-sponsored cyber actors aggressively target U.S. and allied political, economic, military, educational, and critical infrastructure (CI) personnel and organizations to steal sensitive data, critical and emerging key technologies, intellectual property, and personally identifiable information (PII)," the joint cybersecurity advisory (CSA) said.
The CSA exposes over 50 tactics and techniques claimed to have been used by Chinese state-sponsored cyber actors to target US and allied networks.
"Chinese state-sponsored cyber actors consistently scan target networks for critical and high vulnerabilities within days of the vulnerability’s public disclosure. In many cases, these cyber actors seek to exploit vulnerabilities in major applications, such as Pulse Secure, Apache, F5 Big-IP, and Microsoft products," the advisory stated, adding that these "actors" often take effort to mask their activities by using a revolving series of virtual private servers (VPSs).
The NSA, CISA, and the FBI claim that Chinese state-sponsored cyber actors have performed reconnaissance on Microsoft 365, have used short-term VPS devices to scan and exploit vulnerable Microsoft Exchange Outlook Web Access and plant webshells and have targeted hybrid cloud environments to gain access to cloud resources.
"The administration has funded five cybersecurity modernization efforts across the federal government to modernize network defenses to meet the threat. These include state-of-the-art endpoint security, improving logging practices, moving to a secure cloud environment, upgrading security operations centers, and deploying multi-factor authentication and encryption technologies. The latter could be deployed fully within six months," the US official said.
Washington Attributes Microsoft Exchange Hack to Cyber Actors Affiliated With China
The US government and its allies also believe that hackers affiliated with China’s Ministry of State Security (MSS) were involved in the cyberattacks on the Microsoft Exchange email software.
Microsoft Exchange servers became vulnerable to hackers — giving them full access to user emails and passwords on affected servers, administrator privileges on the server, and access to connected devices on the same network — under a global wave of cyberattacks and data breaches earlier this year.
"... the United States government, alongside our allies and partners, will formally attribute the malicious cyber campaign utilizing the zero-day vulnerabilities in the Microsoft Exchange Server disclosed in March - a number of months ago - to malicious cyber actors affiliated with the MSS with high confidence," a senior US administration official told reporters on Sunday.
The administration official said during the Sunday press call that the US has "worked with allies and partners around the world to share the details of the [Microsoft Exchange hack] attribution, because there were victims globally around the world from this activity, and to really gain and invite them to join us on the attribution, on the network defense - collective defense partnership, which we felt was really critical to conveying our criticism and our concerns about the irresponsible malicious cyber activities coming out of China."
US Informed China About Cyber Activity Concerns
Washington has discussed its concerns about the Microsoft Exchange Server hacks and China’s cyber activities with the Chinese government, a senior US administration official said.
"We’ve raised our concerns about both the Microsoft incident and the PRC’s [People’s Republic of China] broader malicious cyber activity with senior PRC government officials, making clear that the PRC’s actions threaten security, confidence, and stability in cyberspace," the US official said on Sunday.
The official emphasized that the US and its allies are sending a "strong, united message of accountability" to China, with NATO joining in for the first time in attributing malicious cyber activities to China.
"So, we think we're at that first important stage of bringing awareness and buy-in to this [Microsoft Exchange hack] attribution, and focusing us together on our collective security efforts, promoting network defense, and other actions needed to disrupt these threats," the US official said.
UK’s Raab Accuses China-Backed Actors of Carrying Out Hacking Attack on Microsoft Server
UK Foreign Secretary Dominic Raab also stated that Chinese state-backed groups have carried out hacking attacks on the Microsoft exchange server.
"The cyber attack on Microsoft Exchange Server by Chinese state-backed groups was a reckless but familiar pattern of behaviour," Raab said, as quoted by the UK Foreign Office in a statement.
The foreign office said that London joins "likeminded partners" to confirm Chinese state-backed groups "were responsible for gaining access to computer networks via Microsoft Exchange servers".
"The Chinese Government must end this systematic cyber sabotage and can expect to be held account if it does not," Raab added.
China has repeatedly dismissed Western allegations that it was behind certain cyberattacks, expressing readiness to cooperate on cybersecurity matters. According to the Chinese Foreign Ministry, under the guise of cyberdefence, the US puts pressure on companies in other countries, trying to oust competitors and maintain its hegemony on the internet.