The United States, the European Union, and the UK today publicly revealed that Hafnium, a hacker group backed by the People’s Republic of China, exploited vulnerabilities in Microsoft Exchange servers to target tens of thousands of organisations worldwide.
Earlier today, GCHQ’s National Cyber Security Centre (NCSC) announced in a press release that it was “highly likely” that a hacker group called HAFNIUM, which is based in China and enjoys state support, was responsible for exploiting Microsoft Exchange server vulnerabilities to target organisations worldwide, including 30,000 entities in the U.S. alone.
NCSC termed the attack on Microsoft Exchange software as “the most significant and widespread cyber intrusion against the UK and allies uncovered to date” and that the attack was carried out earlier this year to enable “large-scale espionage, including acquiring personally identifiable information and intellectual property.”
“The cyber attack on Microsoft Exchange Server by Chinese state-backed groups was a reckless but familiar pattern of behaviour. The Chinese Government must end this systematic cyber sabotage and can expect to be held account if it does not,” said Dominic Raab, the Foreign Secretary.
In a statement released today, the European Union said the compromise and exploitation of the Microsoft Exchange server “undermined the security and integrity of thousands of computers and networks worldwide, including in the member states and EU institutions.”
“It allowed access to a significant number of hackers that have continued to exploit the compromise to date. This irresponsible and harmful behaviour resulted in security risks and significant economic loss for our government institutions and private companies and has shown significant spill-over and systemic effects on our security, economy, and society at large.
“The EU and its member states strongly denounce these malicious cyber activities, which are undertaken in contradiction with the norms of responsible state behaviour as endorsed by all UN member states. We continue to urge the Chinese authorities to adhere to these norms and not allow its territory to be used for malicious cyber activities, and take all appropriate measures and reasonably available and feasible steps to detect, investigate and address the situation,” it added.
In the U.S., China’s role in the hacking of Microsoft Exchange software was touched upon by the White House, the Justice Department, as well as prominent federal agencies such as the CISA, the NSA, and the FBI. The White House highlighted China’s “irresponsible and destabilizing behavior in cyberspace,” stating that it poses “a major threat to U.S. and allies’ economic and national security.” Here are some highlights from the White House’s scathing attack on China:
- The United States is deeply concerned that the PRC has fostered an intelligence enterprise that includes contract hackers who also conduct unsanctioned cyber operations worldwide, including for their own personal profit.
- The PRC’s unwillingness to address criminal activity by contract hackers harms governments, businesses, and critical infrastructure operators through billions of dollars in lost intellectual property, proprietary information, ransom payments, and mitigation efforts.
- From the G7 and EU commitments around ransomware to NATO adopting a new cyber defense policy for the first time in seven years, the President is putting forward a common cyber approach with our allies and laying down clear expectations and markers on how responsible nations behave in cyberspace.
The three partners also called out the Chinese Ministry of State Security for carrying out cyber attacks targeting maritime industries and naval defence contractors in the US and Europe (APT40) also targeting government entities, including the Finnish parliament in 2020 (APT31).
The fact that Hafnium was responsible for exploiting weaknesses in Microsoft Exchange software was first stated by Microsoft in early March. Microsoft said Hafnium exploited previously unknown vulnerabilities in Microsoft’s on-premises Exchange server software and also used stolen credentials to infiltrate Exchange servers owned by a number of organisations worldwide. After infiltrating an Exchange server, Hafnium would create a web shell to control the compromised server remotely, and then use the remote access to steal data from the network.
Prior to targeting Microsoft Exchange, Hafnium was in the business of targeting U.S.-based organisations across all industries using leased virtual private servers (VPS) in the U.S. Its list of victims include infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs, Microsoft said.