The US and a coalition of allies have accused China of a global cyber hacking campaign that employed contract hackers, specifically attributing a large Microsoft attack disclosed earlier in 2021 to actors working on the country’s behalf.
Opening a new area of tensions with China, the US is joined by NATO, the European Union, the United Kingdom, Australia, Japan, New Zealand and Canada to level the allegations.
Foreign Affairs Minister Marise Payne, Home Affairs Minister Karen Andrews and Defence Minister Peter Dutton said the activities by China’s Ministry of State Security were malicious and concerning.
Australia and its international allies have determined the ministry exploited vulnerabilities in Microsoft Exchange software earlier this year, affecting thousands of computers and networks worldwide.
“These actions have undermined international stability and security by opening the door to a range of other actors, including cybercriminals, who continue to exploit this vulnerability for illicit gain,” the three ministers said in a joint statement on Monday night.
US Secretary of State Anthony Blinken said in a statement on Tuesday morning (Australian time) that Beijing must be held accountable “for its pattern of irresponsible, disruptive, and destabilising behaviour in cyberspace” which he said posed “a major threat to our economic and national security”.
The US Justice Department has also said four Chinese citizens – three security officials and one contract hacker – were charged in a global hacking campaign aimed at dozens of companies, universities and government agencies in the US and abroad.
The activities took place between 2011 and 2018 and focused on information that would significantly benefit Chinese companies and businesses, it said.
The opening of a new front in the governments’ war against hacking comes a month after G7 and NATO leaders agreed with US President Joe Biden at summits in Britain and Brussels in accusing the Chinese government of posing systemic challenges to the world order.
The governments formally attributed intrusions exploiting vulnerabilities in the Microsoft Exchange Server that were disclosed in March “cyber actors affiliated with” China’s Ministry of State Security, Mr Blinken said.
The Chinese embassy in Washington DC did not immediately respond to a request for comment.
Chinese officials have previously said China is also a victim of hacking and opposes all forms of cyber attacks.
US officials said the scope and scale of hacking attributed to China has surprised them, along with China’s use of “criminal contract hackers”.
“The PRC’s Ministry of State Security has fostered an ecosystem of criminal contract hackers who carry out both state-sponsored activities and cybercrime for their own financial gain,” Mr Blinken said.
US security and intelligence agencies will outline more than 50 techniques and procedures that “China state-sponsored actors” use in targeting US networks, a senior administration official said.
Chinese state-sponsored cyber actors consistently scan target networks for critical and high vulnerabilities within days of the vulnerability’s public disclosure, the 31-page US cybersecurity advisory seen by Reuters says.
In recent months, the US has focused heavy attention on Russia in accusing Russian cyberhackers of a string of ransomware attacks in the United States.
In the latest announcement, US officials formally blamed the Chinese government “with high confidence” for the hack that hit businesses and government agencies in the United States using a Microsoft email service.
Microsoft has already accused Chinese authorities of responsibility.
The operation specifically exploited weaknesses in Microsoft’s exchange program, a common email software.
Cybersecurity experts were shaken by the scale and volume of the incident, totalling thousands of potential US victims.
The senior Biden administration official said US concerns about Chinese cyber activities have been raised with senior Chinese officials.
“We’re not ruling out further action to hold the PRC accountable,” the official said.
Mr Blinken cited the Justice Department indictment of the three Chinese security officers and a contract hacker as an example of how the United States will impose consequences.
The defendants and officials in the Hainan State Security Department, a regional state security office, tried to hide the Chinese government’s role in the information theft by using a front company, according to the indictment, which was returned in May and unsealed Friday.
The campaign targeted trade secrets in industries including aviation, defence, education, government, health care, biopharmaceutical and maritime industries, the Justice Department statement said.
Victims were in Austria, Cambodia, Canada, Germany, Indonesia, Malaysia, Norway, Saudi Arabia, South Africa, Switzerland, Britain and the US.