US and its NATO allies officially accuse China of Microsoft Exchange Server hack

The United States and its NATO allies have formally accused the Chinese government of sponsoring Microsoft Exchange Server hacks that took place earlier this year. A state-run Chinese media outlet calls the accusation "absurd."

In March, Microsoft released a statement saying it had detected "multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks." The attacker was able to use vulnerabilities to access email accounts and install malware that enabled them to undertake further, more long-term attacks. Patches were released in short order, but Microsoft said in an update posted a week later that it "continues to see multiple actors taking advantage of unpatched systems to attack organizations with on-premises Exchange Server."

Microsoft pointed the finger at Hafnium, a "highly skilled and sophisticated" Chinese hacker group that it claims targets US-based interests and industries including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.

"Recently, Hafnium has engaged in a number of attacks using previously unknown exploits targeting on-premises Exchange Server software," Microsoft's Tom Burt explained. "To date, Hafnium is the primary actor we've seen use these exploits.

Today, the US government backed Microsoft's assertion that Hafnium is a "state-sponsored threat actor," issuing a statement attributing "malicious cyber activity and irresponsible state behavior" to the People's Republic of China.

The statement accuses the Chinese government of using "criminal contract hackers to conduct unsanctioned cyber operations globally." It also claims that alongside an alleged contract with China's Ministry of State Security, the hackers involved have "engaged in ransomware attacks, cyber enabled extortion, crypto-jacking, and rank theft from victims around the world, all for [personal] financial gain."

It also reiterates Microsoft's allegations from March, saying "with a high degree of confidence" that China-based hackers were in fact behind hacks that took advantage of Microsoft Exchange Server vulnerabilities. The statement says "tens of thousands of computers and networks worldwide" were compromised "in a massive operation that resulted in significant remediation costs for its mostly private sector victims."

While the US government hasn't taken any direct action against China at this point, it has filed criminal charges against four individuals allegedly connected with online espionage efforts by China. The charges aren't related to the Microsoft Exchange Server hacks, but rather "a multiyear campaign targeting foreign governments and entities in key sectors, including maritime, aviation, defense, education, and healthcare in a least a dozen countries" that took place from 2011 to 2018.

The UK, European Union, and Canada issued parallel statements condemning the Microsoft Server Exchange hack and other cyber-espionage efforts. NATO, the North Atlantic Treaty Organization, also issued a statement condemning "malicious cyber activities," although it took a somewhat more circumspect approach and did not point the finger at China directly. 

"We acknowledge national statements by Allies, such as Canada, the United Kingdom, and the United States, attributing responsibility for the Microsoft Exchange Server compromise to the People's Republic of China," it said. "In line with our recent Brussels Summit Communiqué, we call on all States, including China, to uphold their international commitments and obligations and to act responsibly in the international system, including in cyberspace."

China's Ministry of Foreign Affairs has not yet responded to the accusation, but the state-run Xinhua News Agency described the claims as "absurd" on Twitter:

Xinhua's remark references CIA analyst whistleblower Edward Snowden, who said in 2013 that he believed the US National Security Agency had conducted more than 61,000 hacking operations globally, including many in China. In 2014, The New York Times reported that Snowden's documents showed that the NSA did hack into the servers of Chinese telecom giant Huawei.