White House ties cyberattacks to China, but private sector awaits stronger action

The Biden administration publicly accused the People's Republic of China of a multi-year campaign of malign cyber activity in a Monday announcement, but failed to announce any sanctions or take direct action beyond unified pressure with Western allies including NATO, the U.K. and European Union.

The administration attributed "with a high degree of confidence" the Microsoft Exchange server attacks earlier this year to malicious cyber actors affiliated with the Chinese Ministry of State Security, claiming they exploited zero-day vulnerabilities that Microsoft later patched in March.

"Attributions like these will help the international community ensure those behind indiscriminate attacks are held accountable," Tom Burt, corporate VP, customer security and trust at Microsoft, said in a statement. "The governments involved in this attribution have taken an important and positive step that will contribute to our collective security."

Transparency is critical to combating the rise in cyberattacks against individuals, organizations and nations, according to Burt. Microsoft in early March attributed the Exchange server attacks to China, claiming a threat actor that it named Hafnium was behind the campaign. But federal officials did not publicly confirm a Chinese state link until yesterday.

Chinese officials vociferously denied the allegations and attacked the U.S. and Western ally actions during a press conference.

"The U.S. ganged up with its allies to make groundless accusations out of thin air against China on the cyber security issue," Ministry of Foreign Affairs spokesman Zhao Lijian, said in response to a question during a daily press briefing in Beijing. "This act confuses right with wrong and smears and suppresses China out of political purpose. China will never accept this."

The National Security Agency, the Cybersecurity and Infrastructure Security Agency and the FBI issued a joint cybersecurity advisory warning that Chinese state-sponsored actors are masking their activities using virtual private servers and using open source and commercial penetration tools. They also said these actors are looking to exploit vulnerabilities in Pulse Secure, Apache, F5 Big IP and Microsoft applications.

The administration claims China has also worked with contract hackers to launch ransomware, extortion attacks and cryptojacking against organizations worldwide. China issued a ransomware attack against a major U.S. company and made a large ransomware demand, a senior administration official said on a call with reporters Sunday night. The official did not disclose the name of the company or the ransomware amount.

What attribution means for the enterprise

President Biden, when asked why the administration failed to impose sanctions against China, in contrast to actions it took over SolarWinds, said Monday the investigation into the attacks were still ongoing and that he was getting an additional report on the activities. Administration officials said they have not ruled out further actions against China.

The U.S. is likely still looking for more evidence, according to Jamil Jaffer, SVP of strategy, partnerships and corporate development at IronNet and a former associate White House counsel for George W. Bush.

"If we are really to deter such activity, naming and shaming, while important, will have to turn into more real action, whether in the criminal realm or stronger activities ranging from sanctions to more aggressive cyber activities on our side," Jaffer said via email.

Federal authorities did launch a crackdown in April to remove the remaining webshells from systems impacted by the Microsoft Exchange server attacks. The attack, which began in January, compromised tens of thousands of small to medium-sized organizations around the world and led to a series of opportunistic ransomware and other attacks by criminal gangs.

"Formally accusing the Chinese government of widespread attacks, including the recent high profile Microsoft Exchange hack, is an important push for accountability as countries around the world grapple with the onslaught of attacks," Amit Yoran, chairman CEO of Tenable and former founding director of US-CERT at the Department of Homeland Security.

While international alliances, formal attribution, prosecution and other tactics will help deter ATP activity, Yoran warned companies still need to exercise a standard of care when defending against malicious cyber activity.

The formal attribution by multiple governments to China is consistent with findings released earlier this year from Mandiant, according to Ben Read, director of analysis at Mandiant Threat Intelligence. The links between APT40 to China's Ministry of State Security as alleged by the DOJ are consistent with technical details released by Mandiant, Read said.

The Department of Justice unsealed charges Friday against four alleged Chinese national hackers affiliated with MSS who engaged in a multi-year computer intrusion campaign to steal intellectual property and Ebola research. A federal grand jury originally returned the indictment against the alleged hackers in May, who have previously been observed operating under various names, including Mandiant as APT40.

"The indictment highlights the significant threat to multiple businesses from Chinese espionage," according to Read. "The group's focus on biomedical research shows that emerging technologies are still a key target for Chinese espionage. Alongside that, the theft of negotiating strategies underscores the risk posed to all companies doing business with China, not just those with high value intellectual property."