China accused of cyber-attack on Microsoft Exchange servers
London – The United Kingdom, United States and European Union have accused China of carrying out a major cyber-attack earlier this year.
The attack targeted Microsoft Exchange servers, affecting at least 30 000 organisations globally.
Western security services believe it signals a shift from a targeted espionage campaign to a smash-and-grab raid, leading to concerns Chinese cyber-behaviour is escalating.
The Chinese Ministry of State Security (MSS) has also been accused of wider espionage activity and a broader pattern of “reckless” behaviour.
China has previously denied allegations of hacking and says it opposes all forms of cyber-crime.
The unified call-out of Beijing shows the gravity with which this case has been taken. Western intelligence officials say aspects are markedly more serious than anything they have seen before.
It began in January when hackers from a Chinese-linked group known as Hafnium began exploiting a vulnerability in Microsoft Exchange. They used the vulnerability to insert backdoors into systems which they could return to later.
The UK said the attack was likely to enable large-scale espionage, including the acquisition of personal information and intellectual property.
It was mainly carried out against specific systems which aligned with Hafnium’s previous targets, such as defence contractors, think tanks and universities.
“We believe that cyber-operators working under the control of Chinese intelligence learned about the Microsoft vulnerability in early January, and were racing to exploit the vulnerability before [it] was widely identified in the public domain,” a security source told the BBC.
If this had been all, it would have been just another espionage operation. But in late February something significant changed.
The targeted attack became a mass pile-in when other China-based groups began to exploit the vulnerability. The targets scaled up to encompass key industries and governments worldwide.
It had turned from targeted espionage to a massive smash-and-grab raid.
Western security sources believe Hafnium obtained advance knowledge that Microsoft intended to patch or close the vulnerability, and so shared it with other China-based groups to maximise the benefit before it became obsolete.
It was the recklessness of the decision to spread the vulnerability that helped drive the decision to call out the Chinese publicly, officials say.
The UK is also understood to have raised the issue of Chinese cyber-activity in private with Beijing over an extended period, including handing over dossiers of evidence.
Microsoft went public about the vulnerability on 2 March and offered a patch to close it. At this point, more hackers around the world had realised its value and piled in.
Around a quarter of a million systems globally were left exposed – often small or medium-sized businesses and organisations – and at least 30 000 were compromised. (BBC)