China’s Hacking Spree and the International Response

Key Takeaways

  • It appears that China has a state-sponsored cyberespionage campaign to collect intellectual property and confidential government data that has breached targets all across the globe

  • The United states and a group of allies have publicly accused China of this campaign including the large Microsoft Exchange hack at the beginning of this year

  • China denies all accusations and in turn has accused the U.S. of cyber theft and attacks against China

A string of Russian ransomware attacks have made headlines in the United States in the recent months, but China has arguably had a more malicious global cyber presence in the last year than their neighbors to the north. While Russian cyber attacks have targeted infrastructure and extorted companies for money, China has led a cyberespionage campaign harvesting trade secrets, intellectual property, and confidential government information. Here are some of the major cyber attacks that have been attributed to China recently:

Microsoft Exchange

The US, UK and EU have all accused China of carrying out a major cyber-attack in January of this year. The attack targeted Microsoft Exchange servers, affecting at least 60,000 organizations globally. This attack is considered to be worse than the Russian SolarWinds attack; unlike the SolarWinds breach, the Microsoft Exchange vulnerability can be exploited in an automated way. Western security services believe it signals a shift from a targeted espionage campaign to a smash-and-grab raid, leading to concerns that Chinese cyber-behavior is escalating.

The Microsoft Exchange vulnerability gives hackers full access to Microsoft Exchange servers which can be leveraged to compromise Active Directory servers. Active Directory manages permissions of a network, so once that is compromised the hackers have full reign over their target.

The attack was originally associated with the Chinese state-sponsored group, Hafnium; however, at least half a dozen different groups are actively attacking organizations using the same vulnerability. The U.S. has accused the hackers involved of targeting trade secrets and confidential business information, including scientific technologies and infectious-disease research.

Air India 

India's flag carrier airline suffered a cyber assault that lasted for a period of at least two months and involved the breach of customer personal data including names, dates of birth, passport information and credit card data. The motive of the attack is still unclear. Researchers attributed the incident to a Chinese nation-state threat actor called APT41. APT41, also known as Barium or Axiom, is an advanced cyber threat group known for its campaigns centered around information theft and espionage against the healthcare and telecommunications sectors; they steal intellectual property and commit financially motivated cybercrimes.

Israel

In 2019 and 2020, hackers successfully targeted Israel's government and tech companies. At first, all evidence pointed to Iran, Israel’s most contentious geopolitical rival; however after further examination, analysts realized it was not an Iranian operation, but that it was conducted by Chinese operatives. The hackers deployed tools normally associated with Iranians and wrote in the Farsi language, but deeper analysis revealed digital fingerprints pointing to Chinese hacking group UNC215. Fireye, an American cybersecurity firm, released their research that links UNC215 to the hacks in Israel


The hackers carried out data harvesting and reconnaissance, likely motivated by financial, technological and business interests.


Russian Federal Agencies

Hackers from China have been attributed with hacking websites of Russian government agencies for the purpose of stealing confidential government data. The U.S. cybersecurity company SentinelOne traced the attack to Chinese hacking group ThunderCats, because the malicious code used in the breaches is similar to the code associated with a broad set of Chinese hacks into other Asian governments.


Among the affected agencies was the Russian FSB, the modern day equivalent of the Soviet KGB. The level of intricacy of the attack was incredible and involved undetectable malware and an understanding of the internal logic of the information security tools used by the agencies.

International response

This July, the United States, NATO, the EU, Australia, Britain, Canada, Japan, and New Zealand  all accused China of a global cyberespionage campaign. 

Secretary of State Antony Blinken said China's contract hackers cost governments and businesses billions of dollars in stolen intellectual property and ransom payments."The (People's Republic of China's) Ministry of State Security has fostered an ecosystem of criminal contract hackers who carry out both state-sponsored activities and cybercrime for their own financial gain," he said. "Responsible states do not indiscriminately compromise global network security nor knowingly harbor cyber criminals – let alone sponsor or collaborate with them."

Deputy Attorney General Lisa Monaco said. "Today's international condemnation shows that the world wants fair rules, where countries invest in innovation, not theft."

At an event, the United States formally attributed intrusions such as the one that affected servers running Microsoft Exchange earlier this year to hackers affiliated with China's Ministry of State Security. Microsoft had already blamed China. 

"These criminal charges once again highlight that China continues to use cyber-enabled attacks to steal what other countries make, in flagrant disregard of its bilateral and multilateral commitments," Deputy U.S. Attorney General Lisa Monaco said in the statement.

China’s response

The allegations were angrily rejected by Beijing. China’s foreign ministry spokesman Zhao Lijan said the accusation was “fabricated out of thin air” for political goals. 

"China will absolutely not accept this," he told a regular news conference in Beijing on Tuesday. China does not engage in cyberattacks, and the technical details Washington has provided "do not constitute a complete chain of evidence", he said.

China in turn has accused the U.S. of cyberspying. Zhao specifically accused the U.S. Central Intelligence Agency of carrying out hacking attacks on China’s aerospace research facilities, oil industry, internet companies and government agencies over an 11-year period.

“China once again strongly demands that the United States and its allies stop cyber theft and attacks against China, stop throwing mud at China on cybersecurity issues and withdraw the so-called prosecution,” Zhao said.

Conclusion

China has economic and geopolitical motives for hacking. They are after trade secrets, intellectual property, and technology, anything to get a leg up or be a step ahead of the world’s other superpowers. While Russian ransomware attacks make the headlines, China appears to have a stronger and better organized cyber campaign that is piercing countries all over the globe.