The U.S. government and its allies which includes the European Union, the U.K., and NATO has attributed the massive cyberattack against Microsoft Exchange email servers to state-sponsored hacking group associated with the People’s Republic of China’s Ministry of State Security (MSS).
The espionage campaign exploited four previously undiscovered vulnerabilities in Microsoft Exchange software and is believed to have hit at least 30,000 organizations in the U.S. and hundreds of thousands more worldwide.
The MSS was outed as the party behind a series of malicious cyber activities tracked under the names “APT40” and “APT31.”
The U.S. Federal Bureau of Investigation (FBI), National Security Agency (NSA), and Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory listing over 50 tactics, techniques, and procedures employed by APT40 and other Chinese state-sponsored cyber actors.
The U.S. Department of Justice (DoJ) pressed criminal charges against four MSS hackers belonging to the APT40 group concerning a multiyear campaign targeting foreign governments and entities in maritime, aviation, defense, education, and healthcare sectors in the least a dozen countries to facilitate the theft of trade secrets, intellectual property, and high-value information.
Ding Xiaoyang, Cheng Qingmin and Zhu Yunmin were intelligence officers in the Hainan State Security Department (HSSD), a provincial arm of China’s Ministry of State Security (MSS).
They founded a front company, Hainan Xiandun Technology Development Co., Ltd. (Hainan Xiandun), that acted as a cover for their hacking operations as revealed in the indictment.
Wu Shurong, the fourth Chinese national indicted was hired through Hainan Xiandun to create malware, hack into foreign governments’ computer systems, companies, and universities to steal trade secrets, intellectual property, and other high-value information, as well as to supervise other Hainan Xiandun hackers.
The four suspects are charged with one count of conspiracy to commit computer fraud and one count of conspiracy to commit economic espionage, carrying maximum sentences of five and 15 years in prison, respectively.
In a press statement, the European Union urged Chinese authorities to take action against malicious cyber activities undertaken from its territory.
The Chinese government has repeatedly denied claims of state-sponsored intrusions. A spokesperson for the Chinese Embassy in Washington stated China as “a severe victim of the U.S. cyber theft, eavesdropping, and surveillance,” noting that the “U.S. has repeatedly made groundless attacks and malicious smear against China on cybersecurity.”