Canada, other members of the Five Eyes intelligence co-operative, and members of NATO today accused China of malicious cyber activity, including responsibility for the Microsoft Exchange Server compromise discovered earlier this year.
“Today, Canada joins its allies in identifying People’s Republic of China’s (PRC) state-backed actors for the unprecedented and indiscriminate exploitation of Microsoft Exchange Servers,” said a statement from Foreign Affairs Minister Marc Garneau, Defense Minister Harjit Sajjan, and Public Safety Minister Bill Blair.
“In early March 2021, Microsoft disclosed vulnerabilities in its Exchange servers that were exploited by state actors. This activity put several thousand Canadian entities at risk—a risk that persists in some cases even when patches from Microsoft have been applied. Globally, an estimated 400,000 servers have been affected.
“Canada is confident that the PRC’s Ministry of State Security (MSS) is responsible for the widespread compromising of the Exchange servers.”
Separately, the federal Canadian Centre for Cyber Security released an update to its 2019 Cyber Threats to Canada’s Democratic Process report. Among other things the update says democratic processes remain a popular target for cyber attackers. After increasing from 2015 to 2017, the proportion of democratic processes targeted by cyber threat actors has remained relatively stable since 2017. “From 2015 to 2020, we judge that the vast majority of cyber threat activity affecting democratic processes can be attributed to state-sponsored cyber threat actors. These actors target democratic processes in pursuit of their strategic objectives (i.e., political, economic, and geopolitical).”
U.S. reaction
A statement this morning from the White House said that, “we are aware that PRC government-affiliated cyber operators have conducted ransomware operations against private companies that have included ransom demands of millions of dollars. The PRC’s [People’s Republic of China] unwillingness to address criminal activity by contract hackers harms governments, businesses, and critical infrastructure operators through billions of dollars in lost intellectual property, proprietary information, ransom payments, and mitigation efforts.”
At the same time the U.S. Department of Justice announced criminal charges against four members of China’s Ministry of State Security for an alleged multiyear campaign targeting foreign governments and entities in key sectors, including maritime, aviation, defense, education, and healthcare in a least a dozen countries.
The defendants and their Hainan State Security Department (HSSD) conspirators allegedly sought to obfuscate the Chinese government’s role in such theft by establishing a front company, Hainan Xiandun Technology Development Co., Ltd. That company, the U.S. says, has been disbanded.
Supporting U.S. documents allege these hackers pursued the theft of Ebola virus vaccine research. The government also alleges that China’s theft of intellectual property, trade secrets, and confidential business information extends to critical public health information.
Much of the activity alleged in the Department of Justice’s charges “stands in stark contrast to the PRC’s bilateral and multilateral commitments to refrain from engaging in cyber-enabled theft of intellectual property for commercial advantage,” the White House statement said.
The statement follows President Joe Biden’s demands that Russia stop supporting cyber attack groups.
Canada’s statement
The Canadian statement says several cyber groups from the PRC are believed to have taken part in the Microsoft Exchange operation, including Advanced Persistent Threat Group 40 (APT 40) Other threat researchers call this group Kryptonite Panda, TEMP.Periscope, TEMP.Jumper, Bronze Mohawk, Leviathan or Mudcarp. “These actors are highly sophisticated and have demonstrated an ability to achieve sustained, covert access to Canadian and allied networks beyond the compromising of Microsoft Exchange servers.
“APT 40 almost certainly consists of elements of the Hainan State Security Department’s regional MSS office. This group’s cyber activities targeted critical research in Canada’s defense, ocean technologies and biopharmaceutical sectors in separate malicious cyber campaigns in 2017 and 2018.”
“Canada and its allies remain steadfast in their unity and solidarity in calling out irresponsible state-sponsored cyber activity. Canada will continue to release public attributions to make clear to perpetrators that it will expose malicious cyber activity conducted against Canada and its allies. Canada will continue to work in concert with partners on this crucial security issue.
“Canada remains committed to working with partners to support the open, reliable and secure use of cyberspace and calls on China to act responsibly and cease this pattern of irresponsible and harmful cyberspace behaviour. These kinds of reckless actions cannot be accepted and tolerated by responsible state-actors.
The Canadian Centre for Cyber Security has put out guidance on mitigating the ongoing threat posed by Microsoft Exchange server vulnerabilities. It was most recently updated in April.
UPDATE: The Associated Press quoted a spokesperson for the Chinese Embassy in Washington saying the U.S. “has repeatedly made groundless attacks and malicious smear against China on cybersecurity. Now this is just another old trick, with nothing new in it.” The statement called China “a severe victim of the US cyber theft, eavesdropping and surveillance.”
Related content: UN group reaches consensus on fighting cyberspace attacks
In an interview Chris Painter, a former U.S. cyber diplomat who helped negotiate a 2015 cyber agreement between the U.S. and China and is now president of the Global Forum on Cyber Expertise, said the U.S. statement and laying of charges was “a positive development.”
He was struck by the number of countries that signed on to today’s complaint against China. Several countries have joined together in denouncing certain cyberattacks before, he said, but “this is a pretty unprecedented group that includes NATO … that sends a pretty strong message.”
Chinese leaders “won’t be happy this number of countries banded together,” he added.
“Will it change their behaviour? I don’t think [the statements] standing alone will. I think we have to look at other tools. But I think this sets a strong foundation for using other tools, like sanctions, in the future.”
“I thought the Microsoft Exchange attack was in some ways more serious than SolarWinds, he said, “because of the reckless way it was done that left a lot of victim’s systems open to further exploitation by criminals and ransomware actors. Even if it was ‘just espionage’ it went beyond the normal cannon in terms of the damage it caused.”
The 2015 agreement saw both the U.S. and China promising to not knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information for commercial advantage. Later all G20 countries signed on. But, he added, that took over a year of sustained pressure and the threat of U.S. trade sanctions against China — including from the U.K. and Australia — unless there was action.
For a time there was a lessening of cyberattacks. But things changed with the souring of relations with the Trump administration, Painter said.
“We have to be willing to draw the line and enforce accountability when they cross it.
Geopolitical tensions are being played out in cyber battles with organizations getting caught in the crossfire, noted David Masson, Canadian-based director of enterprise security at Darktrace.
“Although it is difficult to attribute these attacks to any single nation-state, our government should take every opportunity to pressure cyber-criminals and grow international condemnation in the hopes of resetting the current state of unchecked nation and non-nation state cyber-aggression targeting countries globally. This lack of a unified strong and significant international response only further emboldens nation-state-driven or sponsored cyber-attacks against the private sector and government institutions.
“Canada can lead the way in putting every nation-state and cybercriminal group, whether state-sponsored, supported, or simply sheltered, on notice that cyber-attacks will not only be taken extremely seriously, but that there could be a high cost where those responsible are held accountable through all levers of national power.
“The priority must be protecting Canadian businesses and institutions from cyber-attacks that pose a threat to both economic and national security.”