UK, US confirm Chinese state backed MS Exchange Server attacks

The UK and US governments, alongside allies and partners including the European Union (EU) and Nato, have confirmed today that a group of Chinese state-backed malicious actors known as Hafnium were responsible for gaining illicit access to multiple target networks via vulnerabilities in on-premise versions of Microsoft Exchange Server.

The Exchange attacks took place earlier this year and compromised thousands of organisations around the world – at least 30,000 in the US alone – probably to enable large-scale espionage, including obtaining personal data and intellectual property.

In the UK, the National Cyber Security Centre (NCSC) said it has now supported more than 70 victims, providing tailored advice and guidance to help them navigate the aftermath of the attacks.

“The attack on Microsoft Exchange servers is another serious example of a malicious act by Chinese state-backed actors in cyber space,” said NCSC operations director Paul Chichester. “This kind of behaviour is completely unacceptable, and alongside our partners, we will not hesitate to call it out when we see it.

“It is vital that all organisations continue to promptly apply security updates and report any suspected compromises to the NCSC via our website.”

Foreign secretary Dominic Raab added: “The cyber attack on Microsoft Exchange Server by Chinese state-backed groups was a reckless but familiar pattern of behaviour. The Chinese government must end this systematic cyber sabotage and can expect to be held to account if it does not.”

The UK also today accused the Chinese Ministry of State Security (MSS) of being behind the activity of groups referred to as APT40 and APT31, which between them have targeted maritime and naval defence contractors, and government bodies.

Raab accused Beijing of having repeatedly ignored calls to end this campaign of activity, and said it was instead allowing these groups to ramp up their activity, and act recklessly when caught.

He called on the Chinese government to take responsibility for its actions and respect the democratic institutions, personal data and commercial interests “of those with whom it seeks to partner”.

The UK is also calling on China to reaffirm previous commitments made to the UK in 2015, and as part of the G20, not to conduct or support cyber-enabled theft of intellectual property.

At the same time, the US Department of Justice (DoJ) has today charged four members of APT40 of running a campaign of cyber attacks that targeted private companies, universities and government bodies around the world between 2011 and 2018.

The DoJ alleged that the defendants and conspirators at the Hainan State Security Department (HSSD) sought to obfuscate their theft by establishing a front company – Hainan Xiandun – operating out of the city of Haikou in Hainan, an island province lying off China’s south coast, about 300 miles east of Hong Kong.

The indictment names Ding Xiaoyang, Cheng Qingmin and Zhu Yunmin as HSSD officers responsible for coordinating, facilitating and managing an intrusion team made up of technical specialists and linguists at Hainan Xiandun. It also names Wu Shurong as a supervisor who, as part of his job duties at the front company, accessed computer systems operated by foreign governments, companies and universities, and oversaw others on the payroll.

They are also accused of working with staff and professors at universities in Hainan and elsewhere in China to further the campaign’s goals. The universities supposedly provided material assistance to the MSS in identifying and recruiting people to penetrate and steal from target networks.

The campaign is known to have had victims in Austria, Cambodia, Canada, Germany, Indonesia, Malaysia, Norway, Saudi Arabia, South Africa, Switzerland, the UK and the US, with targeted verticals including aviation, defence, education, government, healthcare, biopharmaceutical and maritime.

Some of the IP stolen included technology relating to submersible and autonomous vehicles, chemical formulae, commercial aircraft servicing, genetic sequencing tech, research on diseases including Ebola, HIV/AIDS and MERS, and information that could have supported China’s efforts to secure contracts for its state-owned enterprises in targeted countries.

“These criminal charges once again highlight that China continues to use cyber-enabled attacks to steal what other countries make, in flagrant disregard of its bilateral and multilateral commitments,” said US deputy attorney general Lisa Monaco.

“The breadth and duration of China’s hacking campaigns, including these efforts … remind us that no country or industry is safe. Today’s international condemnation shows that the world wants fair rules, where countries invest in innovation, not theft.”

APT40 supposedly accessed its victim networks via fraudulent spear-phishing campaigns, backed by fictitious online profiles and lookalike domains created to mimic the websites of legitimate companies and partners. In some cases, the team also used hijacked credentials to target others at the same organisation.

The campaign also used multiple strains of malware to expand their reach and maintain their presence within their victim networks, including BADFLICK or GreenCrash, PHOTO or Derusbi, MURKYTOP or mt.exe, and HOMEFRY or dp.dll. The malware was most often accessed, and the intrusion infrastructure managed, through anonymiser services such as Tor, while stolen data was stored on GitHub, concealed using steganographic techniques. The conspirators also exploited Dropbox API keys to make it seem that their data exfiltration was an insider legitimately using Dropbox.

More details of the group’s work, including technical details, indicators of compromise and mitigation advice, can be found in a newly published CISA advisory.