On July 19, 2021, the Biden administration, along with a group of allies publicly accused the Chinese government of malicious cyber activities and irresponsible state behavior. The joint announcement states the U.S. uncovered a wide array of cyberattacks by hackers with a history of working for the China’s Ministry of State Security (MSS). Importantly, the announcement attributes the recent attack on Microsoft Corp.’s Exchange email software—an attack which infected tens of thousands of businesses, government offices and schools in the U.S. alone – to the MSS. While the public accusation was not accompanied by any sanctions or punitive measures against China, the unified condemnation by the global community is significant: this is a broad coalition (the U.S., the EU, the U.K., Canada, Australia, New Zealand, Japan and the 30 nations comprising NATO) attributing the Microsoft Exchange cyberattack to China and, more broadly, criticizing China of engaging in years of harmful cyber activity.
In connection with the allegations, the Department of Justice (DOJ) announced criminal charges against four MSS hackers for targeting foreign governments and entities in crucial sectors, such as defense, education, healthcare, maritime and aviation, pursuing cybertheft of intellectual property for financial gain. The DOJ indictment accused the hackers of stealing information from dozens of organizations and universities around the globe, specifically stealing Ebola virus research and other important intellectual property. The unsealed DOJ documents allege a violation of the 2015 accord between China’s President Xi and the Obama Administration to not direct or support cyberattacks to steal corporate records or intellectual property.
It is clear that the Biden administration and U.S. government are acutely focused on cybersecurity issues and assisting the private sector in defending against these attacks. In conjunction with the announcement attributing the attacks to the MSS, he National Security Agency (NSA), Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) published a Joint Cybersecurity Advisory of more than 50 tactics, techniques and procedures (TTPs) used by the MSS hackers. Similar to the recent launch of StopRansomware.gov, the Joint Cybersecurity Advisory provides insights and tools to help businesses and critical infrastructure operators secure their networks and protect their data. With regards to the MSS hackers, the TTPs indicate they were particularly reckless in their approach: indiscriminately scanning the Internet to find vulnerable servers, and then installed scripts and/or webshells, and enabling remote administration administrative control of such servers by the hackers. Businesses are encouraged to review these TTPs and analyze whether their environments are susceptible to these approaches.