U.S. Accuses China of Hacking Microsoft

Posted on July 19, 2021 by Paul Thurrott in Cloud, Microsoft, Microsoft 365 with 22 Comments

The United States, in concert with the EU, UK, and NATO, has formally charged China with orchestrating the February and March ransomware attacks on Microsoft Exchange servers.

“Responsible states do not indiscriminately compromise global network security nor knowingly harbor cybercriminals — let alone sponsor or collaborate with them,” U.S. Secretary of State Antony Blinken said. “These contract hackers cost governments and businesses billions of dollars in stolen intellectual property, ransom payments, and cybersecurity mitigation efforts, all while the [Chinese Ministry of State Security (MSS)] had them on its payroll.”

According to the charges, China and a hired army of digital mercenaries engaged in a multiyear campaign targeting foreign governments and key corporations in maritime, aviation, defense, education, and healthcare in over one dozen countries. They attempted to steal the Ebola vaccination and intellectual property, trade secrets, and confidential business information. The U.S. government says that it has “a high degree of confidence” that these attacks were all state-sponsored.

“Before Microsoft released its security updates, MSS-affiliated cyber operators exploited vulnerabilities [in Exchange] to compromise tens of thousands of computers and networks worldwide in a massive operation that resulted in significant remediation costs for its mostly private sector victims,” the White House alleges. “In the past few months, we have focused on ensuring the MSS-affiliated malicious cyber actors were expelled from public and private sector networks and the vulnerability was patched and mitigated to prevent the malicious cyber actors from returning or causing additional damage.”

Additionally, the National Security Agency (NSA), Cybersecurity and Infrastructure Agency (CISA), and Federal Bureau of Investigation (FBI) have collectively released a cybersecurity advisory that details additional ways in which China targeted U.S. and allied networks. The hope is that, by exposing its techniques and providing actionable mitigation guidance, the U.S. Government can help others take action against these and other cybersecurity threats.

“The compromise and exploitation of the Microsoft Exchange server undermined the security and integrity of thousands of computers and networks worldwide, including in the member states and EU institutions,” an EU Foreign Affairs and Security Policy statement adds. “The EU and its member states strongly denounce these malicious cyber activities, which are undertaken in contradiction with the norms of responsible state behavior as endorsed by all UN member states. We continue to urge the Chinese authorities to adhere to these norms and not allow its territory to be used for malicious cyber activities, and take all appropriate measures and reasonably available and feasible steps to detect, investigate and address the situation.”

Finally, the U.S. Department of Justice (DOJ) has publicly detailed a grand jury indictment that charges four Chinese individuals who worked with the Chinese Ministry of State Security on a hacking campaign that ran from 2011 to 2018. According to the charges, these hackers attempted to steal intellectual property and confidential business information from key aviation, defense, education, government, health care, biopharmaceutical, and maritime companies in several other countries. While not directly related to the Microsoft hacks, these efforts paint a picture of years of cyber-attacks undertaken by China.

The “conspirators sought to obfuscate the Chinese government’s role in such theft by establishing a front company,” the DOJ notes, adding that one of the individuals charged “created malware, hacked into computer systems operated by foreign governments, companies, and universities, and supervised other hackers,” and that Chinese universities actually helped MSS find hackers. The crimes represent “a worldwide hacking and economic espionage campaign led by the government of China,” according to Acting U.S. Attorney Randy Grossman for the Southern District of California.

Tagged with

Join the discussion!


Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Comments (22)

22 responses to “U.S. Accuses China of Hacking Microsoft”

  1. sherlockholmes

    My first guess was Russia :-P

  2. Greg Green

    And despite this I expect many corporate leaders still won’t consider IT security a worthwhile investment, I hope I’m wrong.

    and if the ransomers can encrypt your data doesn’t that make it likely they’ve already taken the interesting stuff from it?

  3. John Craig

    Ok, so it was China. "Ya got me!" says every Chinese hacker, before returning to their keyboard.

    Now what?

    Now that we have proof (like we didn't before...come on, we've known every major hack has originated from China, Russia, or Iran for years) what are we, the victims of these crimes, going to do about it?

    Charging four patsies that China has thrown to the wolves is a joke.

    And the EU response, bless them, that they'll continue to "urge China to behave responsibly" is the joke of all jokes.

  4. fuzzsdad

    Yes I told you about China

  5. bettyblue

    So I guess the former administration was right about not wanting to use Hauwei 5G equipment?

    • mikegalos

      If by "former administration" you mean the Obama one since they had the strictest restrictions on Chinese high-tech being used in US infrastructure.

      • bettyblue

        No I mean the last administration as I specifically stated Hauwei and the 5G ban. When they dropped the hammer on Hauwei Paul was against it and stated the US had no proof or they would have shown it....basically defending Hauwei in that case.

        • bluvg

          The conflict with Hauwei goes back to the early 2000s, including the proven case in 2003 of stealing tech from Cisco and claiming it as their own.

  6. markld

    Wow, when I worked at Lowes in 2005-2012, a huge percentage of goods were solely from China. Maybe 1-2% was made in the USA, 4% in other countries except China, the rest was from China. Same for Home Depot.

    I heard and read from a few people that China is no good they aren't are friends, they don't even really care about their customers per se, (cases in point at that time period 2005ish to 2007ish, bad chemicals in dog food, lead in paint, stuff in/on childrens toys & more, then what about all the intellectual property stealing, reverse engineered things, or counterfeit goods that has been going on). I have no doubts about spying.

    I used to say China is a bad actor and they are not really doing us any good, yes we can get cheap crap from them at an inexpensive price, but, at a huge cost to us.

    When I point that out ills of China to others, people I know, say we do it too... Really we do?

    Wonder if my thinking was xenophobic or racist?

    • bluvg

      Re: xenophobic or racist: don't be surprised if your comment is deleted. I've even directly linked to documents from the Chinese government that state clearly the government's intent to co-opt foreign public and private IP. I tried to distinguish as clearly as I could that it was a point highlighting a govt policy concern, not xenophobia or some side remark about Chinese people. Deleted anyway.

      Not my site, I get it, it doesn't bother me much, and I'm really not one to try to cause drama for anyone--running a site like this can be a thankless job. But to the extent it's a site guideline/policy thing, it sometimes doesn't seem to matter if it's a relevant, dispassionate, evidence-based argument.

    • peterc

      Everyone does it to everyone else the world over …… doesn’t make it right either way, although it appears the most prolific nations appear to be Russia, China, USA, India and North Korea. My country the UK tries to be prolific but we don’t put enough money in the electricity meter so we tend to do more of the shouting from the sidelines…

      Remember Edward Snowden… he had quite a bit to say on this subject that’s worth re- reading from time to time as it really was quite frank detailed information.

      but whoever’s doing it to whoever else right now, all I ask is can they please do stuff that avoids me getting sooooo much phishing email in my exchange inbox please…… as clearly this hack caused a shed load of exchange related phishing emails and non of it particularly convincing, but all of it a right pain.

      • mikegalos

        As a bit of an FYI: I worked for a while as a Security Program Manager at Microsoft and two comments:

        1. Little besides codenames was leaked by Edward Snowden that wasn't already "common knowledge" inside the computer security world.
        2. Even 2o years ago we were assuming that our opponents weren't "fat teenagers in their parents' basement" but a mix of organized crime and national intelligence agencies. That continues to be true although the line between those two blurs a lot when you are talking about certain countries.
      • markld

        Peterc: Thanks for the reply. Appreciate your comments. Do understand them.

        I've heard that before about electrical meters in the UK, I guess people used to have prepaid meters, that's interesting. Now some have "Smart" meters that aren't that smart.

        Snowden stuff is worth revisiting.

        This phishing emails are amazing, so amazing that I am amazed people click on one. But really they are just a worst form of Spam.

        Take care

        • mikegalos

          As an FYI: some people in the UK still have pre-pay electrical service where you pay into a meter and when the money runs out so does the power. It's not as common but it is still an option that people can and do use.

  7. mikegalos

    And people are wondering why Microsoft is enforcing hardware based security in Windows 11...

    • Paul Thurrott

      I don't think anyone is seriously questioning that. What they're questioning is how it was communicated and what feels like an arbitrary Intel Core gen-8 cutoff.

    • bettyblue

      Agreed they should. You can run Windows 10 for another 4 years supported and long after that on old hardware if you want.

      The TPM 2.0 should have a hard requirement and I hope they do not back down.

    • nyghtfall


  8. drewsteele

    This is nothing new and has been going on for decades. Point-in-case... China/Russia hacked blueprints at the Naval Shipyards downloading and changing designs in the late 90's. Some idiot thought it was safe to store this information on a Windows 98 machine. Username and password was bypassed by escaping out and then accessing files. Caused everything in the military to be upgraded to NT across the board. This is an old game and it won't stop. Main players - China, Russia, Iran, U. S., and the player of the week.