The U.S. has formed a coalition with its allies and other partners to identify and condemn malicious cyber activities orchestrated by China’s Ministry of State Security (MSS), the White House said Monday, warning it is weighing additional measures to hold Beijing accountable for its actions.
The MSS, China’s secret police, knowingly uses criminal contract hackers to conduct unsanctioned cyber operations around the globe, including for their own personal profit, through “cyber-enabled extortion, crypto-jacking, and theft,” the Biden administration said in a statement. State-affiliated cyber operators are also known to have conducted ransomware operations against private companies that have included ransom demands of millions of dollars, it said.
“The PRC’s (People’s Republic of China) unwillingness to address criminal activity by contract hackers harms governments, businesses, and critical infrastructure operators through billions of dollars in lost intellectual property, proprietary information, ransom payments, and mitigation efforts,” the White House said.
It called Beijing’s behavior in cyberspace “inconsistent with its stated objective of being seen as a responsible leader in the world.”
The administration announced that the U.S. is joining with the EU, the U.K., Australia, Canada, New Zealand, Japan, and NATO to “call out those activities, promote network defense and cybersecurity, and act to disrupt threats to our economies and national security.”
A senior administration official said the collaboration “will allow us to enhance and increase information sharing, including cyber threat intel and network defense information with public and private stakeholders, and expand diplomatic engagement to strengthen our collective cyber resilience and security cooperation.”
Monday’s announcement formally attributed the malicious cyber campaign utilizing the zero-day vulnerabilities in the Microsoft Exchange Server disclosed in March to malicious cyber actors affiliated with the MSS “with high confidence.” The attack impacted some 140,000 servers worldwide.
When asked for additional details on the Microsoft hack, the senior administration official called it “surprising,” adding that “it really gave us new insights on the MSS's work and on the kind of aggressive behavior that we're seeing coming out of China.”
Monday’s statement from the White House came as the U.S. National Security Agency, Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI) issued a Joint Cybersecurity Advisory (CSA) providing detailed information on the tactics, techniques, and procedures (TTPs) used by Chinese state-sponsored cyber actors when targeting U.S. and allied networks.
The advisory also provided recommendations to entities in the public and private sectors to mitigate the threat.
The U.S. Department of Justice also announced criminal charges Monday against four MSS hackers addressing what it said were activities concerning a multiyear campaign targeting foreign governments and entities in key sectors, including maritime, aviation, defense, education, and healthcare in a least a dozen countries.
According to the indictment, the defendants and officials in the Hainan State Security Department tried to hide the Chinese government's role in the information theft by using a front company.
U.S. Secretary of State Antony Blinken told reporters that China’s MSS had “fostered an ecosystem of criminal contract hackers who carry out both state-sponsored activities and cybercrime for their own financial gain,” and pointed to the Department of Justice indictments as examples of how the U.S. will respond.
Allies condemn Beijing
In a separate statement on Monday, the EU said it is still reeling from the attack on the Microsoft Exchange Server and urged China to fight cybercrime occurring within its borders.
“The EU and its member states strongly denounce these malicious cyber activities, which are undertaken in contradiction with the norms of responsible state behaviour as endorsed by all U.N. member states,” said the statement from Josep Borrell, the European High Commissioner of the Union for Foreign Affairs and Security Policy.
“We continue to urge the Chinese authorities to adhere to these norms and not allow its territory to be used for malicious cyber activities, and take all appropriate measures and reasonably available and feasible steps to detect, investigate and address the situation.”
NATO’s North Atlantic Council also issued a statement condemning malicious cyber activities, including the Microsoft compromise, which it said undermine security, confidence and stability in cyberspace.
“We call on all States, including China, to uphold their international commitments and obligations and to act responsibly in the international system, including in cyberspace,” said the statement, which marked the first time that the 30-nation bloc has condemned Beijing’s cyber activities.
British Foreign Secretary Dominic Raab warned in a statement on Monday that if China’s government does not take action to end what he called “systematic” cyberattacks, it would be “held accountable.”
While Monday’s statements were some of the most damning to date against China for allowing cybercrime to occur on its watch, the U.S. and its allies stopped short of sanctions against Beijing. The White House said it was “not ruling out further actions.”
Beijing has yet to issue a response to the allegations made Monday, but an editorial in the official English language Global Times newspaper labeled them a “huge lie” and suggested that the U.S. is using the issue of cyberattacks to enlist its allies in “smearing China.”
“Cyberattacks are difficult to trace. Washington is exploiting them to frame China,” said the unsigned editorial, which repeated China’s stock response to complaints about its practices.
“Cyberattacks have happened in almost all countries and China has suffered more damage than the US. The U.S., the global top technology center, has blatantly set up cyber troops, but loudly accuses other countries of launching cyberattacks. How ridiculous!”
The editorial warned that if the U.S. takes “aggressive measures,” China “will retaliate,” adding that Washington’s allies will also incur Beijing’s wrath.
Sending a message
Timothy Heath, a senior researcher at the Washington-based RAND Corporation, told RFA Monday’s statements were meant to send a message to China that the U.S. and its allies are watching.
But he suggested that they would do little to deter China for now because it is difficult to link the MSS to criminal cyber activities based inside the country and “the cost of cyberattacks is quite low.”
Dustin Carmack, a technology policy researcher at Washington-based think tank Heritage Foundation, recently noted that U.S. cybersecurity posture is undergoing fundamental changes. He said Washington should employ a blend of offensive and diplomatic frameworks to respond to authoritarian countries and the cybercrimes they support.
“We should tell the governments of Russia, China, Iran, and North Korea that we will not tolerate state-sponsored cyberattacks, and that deliberate ignorance of cyber operations against the United States will have major consequences,” Carmack wrote.
Of allies, he said, “they are facing the same attacks—work with us.”
Reported by Rita Cheng for RFA’s Mandarin Service. Translated and written in English by Joshua Lipes.
