UK and chums call out Chinese Ministry of State Security for Hafnium Microsoft Exchange Server attacks

And US indicts four Chinese spies on suspicion of the hacks


The Microsoft Exchange Server attacks earlier this year were "systemic cyber sabotage" carried out by Chinese state hacking crews including private contractors working for a spy agency, the British government has said.

Foreign Secretary Dominic Raab said this morning in a statement: "The cyber attack on Microsoft Exchange Server by Chinese state-backed groups was a reckless but familiar pattern of behaviour. The Chinese Government must end this systematic cyber sabotage and can expect to be held to account if it does not."

Through using four zero-day vulns in Exchange Server, the attackers were able to conduct an espionage campaign against western governments, defence and aerospace firms, education institutions and more. Immediate patches were issued within a week, with long-term fixes deployed as part of April's Patch Tuesday run.

Raab's condemnation of China was echoed by the EU, which said its member states "strongly denounce these malicious cyber activities, which are undertaken in contradiction with the norms of responsible state behaviour as endorsed by all UN Member States."

NATO also expressed "solidarity" with victims of the Exchange Server hacks, saying it was "determined to employ the full range of capabilities, as applicable, at all times to actively deter, defend against, and counter the full spectrum of cyber threats."

Meanwhile, the US Department of Justice charged four Chinese men [PDF, 28MB] with operating a front company in Hainan Province, southern China, for carrying out the Exchange Server attacks.

FBI wanted poster for alleged members of APT40, aka China's Ministry of State Security hackers

FBI wanted poster for alleged members of APT40, aka China's Ministry of State Security hackers

Today's attribution by the National Cyber Security Centre mirrors four-month-old findings from Microsoft, though the NCSC's version goes into greater detail. When the Exchange Server campaign came to light in March, Microsoft attributed the zero-day exploitations to "a state-sponsored threat actor" that was "based in China."

The attributions are therefore not new but do represent the first formal acknowledgment by western governments that the two APTs behind Hafnium operated with the approval of the Chinese government in Beijing.

The Exchange Server zero-days were also used to spread ransomware, and it is not clear from today's announcements whether the UK and US are explicitly blaming China's government for that as well. Rumours were going around that a behind-closed-doors warning by Microsoft to security partners in late February was leaked, allowing criminals to abuse the zero-days just as patches were published.

Lifting the lid on Hafnium

Although Microsoft's security staff nicknamed the Exchange Server attackers Hafnium, they are publicly tracked as APT31 and APT40.

"NCSC judge that APT40 is highly likely to be sponsored by the regional MSS security office, the MSS Hainan State Security Department (HSSD)," said the British infosec agency today.

The MSS was seen targeting "naval defence contractors across the US and Europe" as well as "regional opponents of the Belt and Road initiative," China's multinational infrastructure construction initiative that has been criticised for leaving partner countries with hefty loans to pay off. Some academics dispute this interpretation of the Belt and Road Initiative as a "debt trap", though the intent is clearly to establish Chinese dominance of new roads and rail links across the world.

Back in 2019, FireEye published research into a five-year espionage campaign by APT40 directed at naval and maritime companies, stealing intellectual property in order to boost China's warship design and construction efforts.

APT 31, meanwhile, is thought to be a "group of contractors" working for the MSS since last year. Its operators target governments, political parties and "service providers", and were responsible for targeting the Finnish parliament in late 2020.

NCSC ops director Paul Chichester said in a statement: "It is vital that all organisations continue to promptly apply security updates and report any suspected compromises to the NCSC via our website." ®

Similar topics

Narrower topics


Other stories you might like

  • North Korea pulled in $400m in cryptocurrency heists last year – report

    Plus: FIFA 22 players lose their identity and Texas gets phony QR codes

    In brief Thieves operating for the North Korean government made off with almost $400m in digicash last year in a concerted attack to steal and launder as much currency as they could.

    A report from blockchain biz Chainalysis found that attackers were going after investment houses and currency exchanges in a bid to purloin funds and send them back to the Glorious Leader's coffers. They then use mixing software to make masses of micropayments to new wallets, before consolidating them all again into a new account and moving the funds.

    Bitcoin used to be a top target but Ether is now the most stolen currency, say the researchers, accounting for 58 per cent of the funds filched. Bitcoin accounted for just 20 per cent, a fall of more than 50 per cent since 2019 - although part of the reason might be that they are now so valuable people are taking more care with them.

    Continue reading
  • Tesla Full Self-Driving videos prompt California's DMV to rethink policy on accidents

    Plus: AI systems can identify different chess players by their moves and more

    In brief California’s Department of Motor Vehicles said it’s “revisiting” its opinion of whether Tesla’s so-called Full Self-Driving feature needs more oversight after a series of videos demonstrate how the technology can be dangerous.

    “Recent software updates, videos showing dangerous use of that technology, open investigations by the National Highway Traffic Safety Administration, and the opinions of other experts in this space,” have made the DMV think twice about Tesla, according to a letter sent to California’s Senator Lena Gonzalez (D-Long Beach), chair of the Senate’s transportation committee, and first reported by the LA Times.

    Tesla isn’t required to report the number of crashes to California’s DMV unlike other self-driving car companies like Waymo or Cruise because it operates at lower levels of autonomy and requires human supervision. But that may change after videos like drivers having to take over to avoid accidentally swerving into pedestrians crossing the road or failing to detect a truck in the middle of the road continue circulating.

    Continue reading
  • Alien life on Super-Earth can survive longer than us due to long-lasting protection from cosmic rays

    Laser experiments show their magnetic fields shielding their surfaces from radiation last longer

    Life on Super-Earths may have more time to develop and evolve, thanks to their long-lasting magnetic fields protecting them against harmful cosmic rays, according to new research published in Science.

    Space is a hazardous environment. Streams of charged particles traveling at very close to the speed of light, ejected from stars and distant galaxies, bombard planets. The intense radiation can strip atmospheres and cause oceans on planetary surfaces to dry up over time, leaving them arid and incapable of supporting habitable life. Cosmic rays, however, are deflected away from Earth, however, since it’s shielded by its magnetic field.

    Now, a team of researchers led by the Lawrence Livermore National Laboratory (LLNL) believe that Super-Earths - planets that are more massive than Earth but less than Neptune - may have magnetic fields too. Their defensive bubbles, in fact, are estimated to stay intact for longer than the one around Earth, meaning life on their surfaces will have more time to develop and survive.

    Continue reading

Biting the hand that feeds IT © 1998–2022