US blames Microsoft Exchange hack on affiliates of Chinese government

Hack of Microsoft Exchange software compromised tens of thousands of computers around the world

The Biden administration on Monday blamed China for the hack of Microsoft Exchange email server software that compromised tens of thousands of computers around the world earlier this year.

The administration made the announcement with a group of allies and partners, including the European Union, the United Kingdom, Canada, Australia, New Zealand, Japan and NATO.


A Biden administration official said this is the first time NATO has condemned China's cyber activities.

"No one action can change China's behavior in cyberspace and neither can just one country acting on its own," a senior administration official said. "Our allies and partners are a tremendous source of strength and a unique American advantage, and our collective approach to cyber threat information sharing and defense." 

The Microsoft Exchange hack was first identified in January and was attributed to Chinese cyber spies by private sector groups. An administration official said the government’s attribution to hackers affiliated with China’s Ministry of State Security took until now in part because of the discovery of the ransomware and for-profit hacking operations and because the administration wanted to pair the announcement with guidance for businesses about tactics that the Chinese have been using.

A Chinese Foreign Ministry spokesperson, asked about the Microsoft Exchange hack, previously told the Associated Press that China "firmly opposes and combats cyberattacks and cyber theft in all forms" and cautioned that attribution of cyberattacks should be based on evidence and not "groundless accusations."


But the Biden administration and allied nations also disclosed a broad range of other cyber-threats from Beijing, including ransomware attacks from government-affiliated hackers that have targeted companies with demands for millions of dollars. 

An official said the PRC's Ministry of State Security uses criminal contract hackers to conduct unsanctioned cyber operation globally, including for their own personal profit. The official said activities range from criminal activities, like cyber-enabled extortion, to crypto-jacking, and theft from victims around the world for financial gain. 

Meanwhile, a senior administration official said the National Security Agency, Cybersecurity and Infrastructure Security agency and the FBI, will expose more than 50 tactics, techniques and procedures that Chinese state-sponsored cyber actors used when targeting U.S. and allied networks, along with advice for technical mitigations to confront this threat. 

Biden administration officials said they have raised concerns about the Microsoft incident and the PRC's "broader malicious cyber activities" with senior PRC government officials, saying they are "making clear" that their actions threaten "security, confidence and stability in cyberspace." 

"The U.S. and our allies and partners are not ruling out further actions to hold the PRC accountable," a senior administration official said. 

Meanwhile, the Justice Department on Monday announced charges against four Chinese nationals who prosecutors said were working with the Ministry of State Security in a hacking campaign that targeted dozens of computer systems, including companies, universities and government entities.

"These criminal charges once again highlight that China continues to use cyber-enabled attacks to steal what other countries make, in flagrant disregard of its bilateral and multilateral commitments," Deputy Attorney General Lisa Monaco said in a statement. "The breadth and duration of China's hacking campaigns, including these efforts targeting a dozen countries across sectors ranging from health care and biomedical research to aviation and defense, remind us that no country or industry is safe."


Monaco added that "today's international condemnation shows that the world wants fair rules, where countries invest in innovation, not theft." 

And FBI Deputy Director Paul Abbate said the bureau and federal and international partners remain committed to imposing risk and consequences on malicious cyber actors. 

The Associated Press contributed to this report.