US and Allies Insist the Chinese State Responsible for Exchange Server Attacks

Much of the world's attention regarding cybersecurity matters has been firmly affixed to the NSO saga resulting from the Pegasus Project. While Spyware has been abused by governments dominated headlines, the US Government and its allies placed responsibility for the Exchange Server hacks that occurred in March squarely at the feet of the Chinese Government.

Given the number of incidents and revelations that have happened in 2021 already, what happened in March already feels like eons ago, so a quick recap of events is probably necessary. On March 2, 2021, Microsoft warned of a Chinese state-sponsored hacking group, codenamed Hafnium, was using several zero-day vulnerabilities discovered in Exchange Server, a popular enterprise product to better facilitate email communications, to distribute malware including ransomware.

This resulted in many rushing to patch the flaws and for those that remained ignorant, the US Department of Justice (DoJ) gave the FBI authority to remove unpatched web shells due to the risk it posed.

usa blames china for exchange servers hack

This was an unprecedented step in further empowering law enforcement to help prevent cyber-attacks.

Now, in an official statement released by the Whitehouse states,

“The United States is deeply concerned that the PRC has fostered an intelligence enterprise that includes contract hackers who also conduct unsanctioned cyber operations worldwide, including for their own personal profit. As detailed in public charging documents unsealed in October 2018 and July and September 2020, hackers with a history of working for the PRC Ministry of State Security (MSS) have engaged in ransomware attacks, cyber enabled extortion, crypto-jacking, and rank theft from victims around the world, all for financial gain…In some cases, we are aware that PRC government-affiliated cyber operators have conducted ransomware operations against private companies that have included ransom demands of millions of dollars. The PRC’s unwillingness to address criminal activity by contract hackers harms governments, businesses, and critical infrastructure operators through billions of dollars in lost intellectual property, proprietary information, ransom payments, and mitigation efforts.”

The above sentiment was echoed in statements released by both the United Kingdom and the European Union. Regarding the Microsoft Exchange Server hacks, the White House has accused four individuals carry out the attack under the umbrella of the MSS who conducted the attacks. The statement notes,

“Before Microsoft released its security updates, MSS-affiliated cyber operators exploited these vulnerabilities to compromise tens of thousands of computers and networks worldwide in a massive operation that resulted in significant remediation costs for its mostly private sector victims. We have raised our concerns about both this incident and the PRC’s broader malicious cyber activity with senior PRC Government officials, making clear that the PRC’s actions threaten security, confidence, and stability in cyberspace.”

DoJ Charges

At the same time the White House published its statement the DoJ released a statement confirming the charges been made against the four above-mentioned individuals. The statement provides a unique insight into the infrastructure and tactics used to carry out the attack.

The release stated that hacks were carried out for extended periods of time for the economic benefit of the Chinese state by circumventing lengthy and costly research and development. In other words, economic benefit was gained by stealing sensitive data from foreign organizations be they public or private.

To do this, and direct attention away from the government’s involvement, a front company was created called Hainan Xiandun Technology Development Co., Ltd. The statement also alleges that,

“The two-count indictment alleges that Ding Xiaoyang (丁晓阳), Cheng Qingmin (程庆民) and Zhu Yunmin (朱允敏), were HSSD officers responsible for coordinating, facilitating and managing computer hackers and linguists at Hainan Xiandun and other MSS front companies to conduct hacking for the benefit of China and its state-owned and sponsored instrumentalities. The indictment alleges that Wu Shurong (吴淑荣) was a computer hacker who, as part of his job duties at Hainan Xiandun, created malware, hacked into computer systems operated by foreign governments, companies and universities, and supervised other Hainan Xiandun hackers.”

Deputy Attorney General Lisa O. Monaco went on to confirm the sentiment shared by the White House, stating,

“These criminal charges once again highlight that China continues to use cyber-enabled attacks to steal what other countries make, in flagrant disregard of its bilateral and multilateral commitments. The breadth and duration of China’s hacking campaigns, including these efforts targeting a dozen countries across sectors ranging from healthcare and biomedical research to aviation and defense, remind us that no country or industry is safe. Today’s international condemnation shows that the world wants fair rules, where countries invest in innovation, not theft.”

Regarding the tactics used by those charged, initial access would be gained using targeted spear-phishing emails. The emails would be supported by fake online profiles and domains to give the emails a veneer of legitimacy.

These would often be created to mimic legitimate companies. In other cases, the attackers would use stolen credentials to conduct spear-phishing campaigns within the organization or other organizations. Again, this assists the attacker’s goal in appearing to be legitimate.

Spear phishing operations were supplemented using sophisticated and specially created custom malware. To maintain a presence on the targeted network and increase privileges, attackers would also use freely available if needed.

The malware was primarily used to retain a high level of persistence on the network, enable the attackers to move laterally across the network, and steal username and password combinations of users with administrator access.

How data was exfiltrated was equally as sophisticated as the gaining and maintaining of access. The attackers would use TOR services to anonymize their communications between their infrastructure and their malware.

Data was exfiltrated by using steganography, this is when hackers hide data within files or images typically used by many in their daily lives reducing the suspicion that they might be used to hide malicious behavior.

It was also noted that attackers would abuse legitimate third-party applications like the DropBox API to upload stolen data. The use of DropBox in some instances was done to mimic an employee's use of the platform helping prevent detection by security teams.

The accused have been charged with conspiracy to commit computer fraud, which carries a maximum sentence of five years in prison, and conspiracy to commit economic espionage, which carries a maximum sentence of fifteen years in prison if found guilty.

The four accused can be arrested if traveling internationally to a country with extradition or other law enforcement agreements with the US. However, if they remain in China the likelihood of arrest is slim to none.

China’s Response

A spokesperson for the Chinese Foreign Ministry Lijian Zhao has labeled the attributing of the Exchange Server attacks as baseless and a result of the US and its allies ganging up on China. Further, China has labeled the US as a “hacking empire.” Little to no evidence was provided to support this claim, particularly when compared to the evidence both public and private organizations have supplied regarding the Exchange Server attacks.

Governments across the globe, not just China and Russia, have seen the advantages of using cyber espionage to their benefit. It is cheaper and safer when compared to sending in individuals to act as spies to steal beneficial information. Further, operations can be conducted within the state's borders drastically reducing the dangers and having operatives caught behind enemy lines so to speak.

Declarations made by the White House regarding improvements to their cybersecurity posture will make it harder for cyber espionage campaigns but given the advantages the method offers it will likely never be eradicated.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal