Microsoft and cybersecurity experts believe the massive hack against the Microsoft Exchange Server this year was conducted by a Chinese hacker group, but the Biden administration has yet to point the finger.
President Joe Biden signed a cybersecurity executive order earlier this month, naming three recent prominent cyberattacks — SolarWinds, Colonial Pipeline, and Microsoft — with a White House fact sheet saying those “recent cybersecurity incidents … are a sobering reminder that U.S. public and private sector entities increasingly face sophisticated malicious cyber activity from both nation-state actors and cybercriminals.” The United States has said Russian intelligence is behind the SolarWinds hack and that a Russian hacker gang is behind the Colonial Pipeline attack, but it has not publicly attributed the Microsoft hack to anyone.
The tech giant announced in March that it had detected “multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks” in March and said its Threat Intelligence Center attributed the cyber campaign with “high confidence” to a hacker group dubbed “Hafnium,” which “operates primarily from leased virtual private servers in the United States.” Microsoft said the hacker group was “state-sponsored” and operating out of China. Microsoft said the hackers had used vulnerabilities to access email accounts and install additional malware “to facilitate long-term access to victim environments.”
The Microsoft Exchange Server handles the company’s email, calendar, scheduling, contact, and collaboration services.
Tom Burt, the corporate vice president of customer security and trust at Microsoft, wrote in March that “Hafnium operates from China, and this is the first time we’re discussing its activity.” He called the Chinese hacker group “a highly skilled and sophisticated actor” that “primarily targets entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs.”
Jake Sullivan, Biden’s national security adviser, was asked whether China was behind the Microsoft hack during a March press conference at the White House.
“I’m not in a position, standing here today, to provide attribution, but I do pledge to you that we will be in a position to attribute that attack at some point in the near future,” Sullivan said. “And we won’t hide the ball on that. We will come forward and say who we believe perpetrated the attack.”
The Biden administration has since been silent on attributing the hack to China. A spokesperson for the National Security Agency told the Washington Examiner to reach out to the National Security Council. The NSC did not provide a comment. A spokesperson for DHS said to “please contact the FBI for help with this inquiry.” The FBI spokesperson said that “unfortunately, we do not have a comment.” A DOJ spokesperson said they “don’t have anything to share with you on this at this time.” A spokesperson for the Cybersecurity and Infrastructure Security Agency said that “we do not have a comment on attribution.” And the Office of the Director of National Intelligence did not respond to a request for comment.
In April, the Biden administration attributed the massive SolarWinds cyberattack to Russia’s Foreign Intelligence Service, also known as the SVR, and a fact sheet released by the White House said the U.S. was “formally naming” the SVR “as the perpetrator of the broad-scope cyber espionage campaign that exploited the SolarWinds Orion platform and other information technology infrastructures” and that the intelligence community “has high confidence in its assessment of attribution to the SVR.” Former Secretary of State Mike Pompeo and former Attorney General William Barr both said in December they believed the cybercampaign was likely carried out by Russia.
Biden said in May that the ransomware attack on the Colonial Pipeline by the DarkSide gang wasn’t directed by the Kremlin but said the U.S. had “strong reason” to believe the criminals “are living in Russia.” The White House says it has been in “direct communication” with Moscow, though, calling on Vladimir Putin‘s government to take action against the ransomware attackers.
Ben Read, the director of analysis at Mandiant Threat Intelligence, which is part of the FireEye cybersecurity firm, told the Washington Examiner there had been “three stages” of the Microsoft hack, arguing the first stage “was kind of limited use by what Microsoft tracks as Hafnium — we think likely China,” while the second stage was “a more widespread use by additional different Chinese groups.” The third stage was when the vulnerability became “publicly available” and was exploited by a yet-unknown number of other hacker groups.
“With sort of the initial Hafnium stuff, I have no reason to doubt Microsoft, they’re very good at what they do, their security team, and there’s so much of it, and we’re aware that it was likely used by other actors as well, especially when the proof of concept go out there, so it’s not sort of a singular event that I can easily talk about as sort of one event, but in general, yes, the initial use and since follow-up stuff we saw we think is likely China,” Read said. “The exploit was used, we believe, by multiple groups, so our analytic line is we have probably moderate confidence that at least some of the exploitation is linked to previously tracked groups we attribute to China.”
When describing how FireEye attributes hacks to China, he said: “With these specific groups, they are groups we believe, at the very least, act in support of, sort of, PRC goals … They appear to have significant funding because they’re able to operate for an extended period of time, sort of with a large amount of operations with sophistication — it takes money to do that. And the information they’re stealing is not easily monetizable, and in some cases, you have further forensic or pattern of life or other reasons, the belief that they’re located in China, or things like that, they speak Chinese … so the specific constellation is different for every group, but that’s kind of the general we have, that middle phase, linked to China.”
Read said that Hafnium’s actions were “unusual for an espionage group because not every place is gonna have interesting information,” and yet, the hackers had pursued vulnerabilities against a host of individuals, small businesses, and other unusual espionage targets.
“Your mom-and-pop deli in Connecticut is just not gonna have a ton of information of interest to the Chinese government, but if they had a vulnerable exchange server, they got a web shell,” he said. “There are interesting questions as to why China chose to operate that way but not a whole lot of technical leads in explaining it.”
As for Hafnium, Read said: “As Microsoft said, it was a new group to them, we don’t have that stuff traced back historically, where we can sort of make a super confident attribution,” but “it matches the sort of general profile how the Chinese operate, some of the malware is familiar.”
John Hammond, a senior security researcher at the Huntress cybersecurity firm, was confident that China was behind the Microsoft hack.
“Every effort that the cyber threat intelligence community has made does point to HAFNIUM being a Chinese group,” he told the Washington Examiner. “While some HAFNIUM operations were often carried out from a U.S.-based IP address, this is simply indirection: using a DigitalOcean virtual private server to appear as if the attacks come from elsewhere. We have seen communication to deployed China Chopper webshells from Chinese IP addresses, and further research with honeypots certainly received a lot of traffic from China. Nothing can be guaranteed as absolute proof — but seeing a trend of repeated indicators, it certainly makes for a confident claim.”
The FBI said in March it is “aware of Microsoft’s emergency patch for previously unknown vulnerabilities in Exchange Server software, attributed to the advanced persistent threat actor known by Microsoft as Hafnium.” But the bureau declined to comment when asked if this meant the FBI was also assessing if this was a Chinese operation.
Cybersecurity expert Brian Krebs reported in March that “at least 30,000 organizations across the United States — including a significant number of small businesses, towns, cities, and local governments — have over the past few days been hacked by an unusually aggressive Chinese cyber-espionage unit that’s focused on stealing email from victim organizations.”
The Cybersecurity Huntress blog contended in March that “the webshell that these threat actors are using is known as the ‘China Chopper’ one-liner.” FireEye said in March that in a separate environment, it had seen the vulnerable Microsoft Exchange Server exploited by a threat actor that matched the China Chopper, which it says has “growing prevalence, especially among Chinese cybercriminals.” The cybersecurity firm Volexity appeared to first spot the hack, writing that it detected the “anomalous activity” in January.
Anne Neuberger, the deputy national security adviser for cyber and emerging technology, said in April that the Biden administration was “standing down” its Unified Coordination Groups responding to the SolarWinds and Microsoft hacks but stressed the administration was taking a “whole-of-government effort” to deal with cyberattacks.
The Justice Department announced a “court-authorized operation” by the FBI last month to copy and remove “malicious web shells” from hundreds of U.S. computers in response to the massive cyberattacks against Microsoft’s Exchange Server.
The Chinese Foreign Ministry rejected Microsoft’s claim that it was involved in the newly discovered cyberattacks, just as Russia has denied culpability for the SolarWinds hack.