The UK on Monday confirmed that Chinese state-backed actors were responsible for the cyberattack on Microsoft Exchange earlier this year that affected over a quarter of a million servers worldwide.
Foreign Secretary Dominic Raab said in a statement that the attack was “a reckless but familiar pattern of behaviour.”
“The Chinese government must end this systematic cyber sabotage and can expect to be held [to] account if it does not,” Raab warned.
The National Cyber Security Centre (NCSC) said that it’s “almost certain” that Hafnium, a group that is “highly likely” to be linked with the Chinese state, was responsible for the attack.
It also assessed that the attack was highly likely to enable large-scale espionage, including acquiring personally identifiable information and intellectual property.
The NCSC said the attack on Microsoft Exchange servers was the “most significant and widespread cyber intrusion against the UK and allies uncovered to date.”
Paul Chichester, the NCSC’s director of operations, said in a statement that the attack is “another serious example of a malicious act by Chinese state-backed actors in cyberspace.”
The NCSC said it was able to quickly provide tailored advice to affected organisations to mitigate the damage.
Officials also said that the Chinese Ministry of State Security (MSS) is behind activities known by cybersecurity experts as “APT40 [Advanced Persistent Threat 40]” and “APT31 [Advanced Persistent Threat 31].”
APT40, which targeted maritime industries and naval defence contractors in the United States and Europe, regional opponents of the Belt and Road Initiative, and multiple Cambodian electoral entities in the run-up to the 2018 election, is highly likely sponsored by the regional MSS security office, the MSS Hainan State Security Department (HSSD), the NCSC said.
It added that it’s “almost certain” that APT31, which targeted government entities, political figures, contractors, and service providers, is a group of contractors working directly for the MSS.
The UK’s announcement comes in coordination with the UK’s allies, including the United States, the European Union, and NATO.
NATO observes “with increasing concern that cyber threats to the security of the Alliance are complex, destructive, coercive, and becoming ever more frequent,” the security alliance said in its statement, adding that it condemns such malicious cyber activities designed to “destabilize and harm Euro-Atlantic security and disrupt the daily lives of our citizens.”
“Reaffirming NATO’s defensive mandate, the Alliance is determined to employ the full range of capabilities, as applicable, at all times to actively deter, defend against, and counter the full spectrum of cyber threats, in accordance with international law,” the statement reads.
Also on Monday, the United States charged four Chinese Nationals involved with APT40, three of whom are alleged officers in the HSSD, a provincial arm of China’s MSS.
The defendants were charged with a campaign to hack into the computer systems of dozens of victim companies, universities, and government entities in the United States and abroad between 2011 and 2018.
The U.S. Department of Justice said the campaign targeted victims in the United States, Austria, Cambodia, Canada, Germany, Indonesia, Malaysia, Norway, Saudi Arabia, South Africa, Switzerland, and the United Kingdom.