News

White House Says China's APT40 Responsible for Exchange Hacks, Ransomware Attacks

• By Kurt Mackie
• 07/19/2021

The Biden administration released a statement on Monday naming the People's Republic of China as responsible for widespread cyberattacks that notably targeted Exchange Server users.

Microsoft had released out-of-band patches for the zero-day vulnerabilities in Exchange Server back on March 2. At that time, Microsoft had indicated that the attacks were coming from a "Hafnium" attack group that was said to be acting on behalf of China. The U.S. government tends to refer to China's attack groups as "APT40."

Before Microsoft's March patch release, "tens of thousands of computers and networks worldwide" had been exploited, according to the White House's statement.

The White House cited support from the European Union, the United Kingdom and NATO in making its assertion that the Chinese government was behind the widespread espionage attacks, and later ransomware attacks. China is being accused of hiring criminal hackers who presumably carried out state-sanctioned attacks, while also seeking personal financial gain by unleashing ransomware on organizations.

Here's how it was described by the White House statement:

In some cases, we are aware that PRC government-affiliated cyber operators have conducted ransomware operations against private companies that have included ransom demands of millions of dollars. The PRC's unwillingness to address criminal activity by contract hackers harms governments, businesses, and critical infrastructure operators through billions of dollars in lost intellectual property, proprietary information, ransom payments, and mitigation efforts.

The notion that the attackers were also deploying ransomware, and not just conducting espionage, was known back in early March. In April, the U.S. Justice Department disclosed that the U.S. Federal Bureau of Investigation (FBI) had accessed the compromised networks of organizations, deleting the Webshells left by the attackers.

The Biden administration stopped short of issuing sanctions on China. It is issuing this statement now because of the ransomware-for-profit actions of the APT40 group and because it needed time to issue guidance to businesses, according to an Associated Press story, citing an unnamed administration official. The AP story noted that the administration has advised caution on doing business in Hong Kong, as well.

The White House statement was accompanied by a U.S. Department of Justice announcement of an indictment against four Chinese individuals alleged to be acting on behalf of China's Ministry of State Security via its Hainan State Security Department. The indictment (PDF download) from a grand jury apparently was unsealed in May.

The hackers used hijacked credentials and spearphishing to gain access. They deployed customized malware to maintain access on networks. The Onion Router (TOR) browser was used to obscure their identities, and GitHub was used to store malware and stolen data. Dropbox also was used to store exfiltrated data. The attackers also stuffed data into images of former President Trump and a panda bear via steganography, according to the indictment.

In addition to the White House statement, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a series of announcements about the "Chinese cyber threat activity," which is summarized in this announcement, as well as this "Overview." One of those announcement described the indicators of compromise associated with the APT40 group's activities. Another CISA announcement described "mitigation" measures to take.

The FBI also issued an announcement pointing to a joint statement from the FBI, CISA and the U.S. National Security Agency on the alleged Chinese-state attacks.