Washington Examiner - Political News and Conservative Analysis About Congress, the President, and the Federal Government Microsoft and cybersecurity experts believe the massive hack against the Microsoft Exchange Server this year was conducted by a Chinese hacker group, but the Biden administration has yet to point the finger.
President Joe Biden signed a cybersecurity executive order earlier this month, naming three recent prominent cyberattacks â SolarWinds, Colonial Pipeline, and Microsoft â with a White House fact sheet saying those ârecent cybersecurity incidents ⊠are a sobering reminder that U.S. public and private sector entities increasingly face sophisticated malicious cyber activity from both nation-state actors and cyber criminals.â The United States has said Russian intelligence is behind the SolarWinds hack and that a Russian hacker gang is behind the Colonial Pipeline attack, but it has not publicly attributed the Microsoft hack to anyone.
The tech giant announced in March that it had detected âmultiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacksâ in March and said its Threat Intelligence Center attributed the cybercampaign with âhigh confidenceâ to a hacker group dubbed âHafnium,â which âoperates primarily from leased virtual private servers in the United States.â Microsoft said the hacker group was âstate-sponsoredâ and operating out of China. Microsoft said the hackers had used vulnerabilities to access email accounts and install additional malware âto facilitate long-term access to victim environments.â
The Microsoft Exchange Server handles the companyâs email, calendar, scheduling, contact, and collaboration services.
Tom Burt, the corporate vice president of customer security and trust at Microsoft, wrote in March that âHafnium operates from China, and this is the first time weâre discussing its activity.â He called the Chinese hacker group âa highly skilled and sophisticated actorâ that âprimarily targets entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs.â
Jake Sullivan, Bidenâs national security adviser, was asked whether China was behind the Microsoft hack during a March press conference at the White House.
âIâm not in a position, standing here today, to provide attribution, but I do pledge to you that we will be in a position to attribute that attack at some point in the near future,â Sullivan said. âAnd we wonât hide the ball on that. We will come forward and say who we believe perpetrated the attack.â
The Biden administration has since been silent on attributing the hack to China. A spokesperson for the National Security Agency told the Washington Examiner to reach out to the National Security Council. The NSC did not provide a comment. A spokesperson for DHS said to âplease contact the FBI for help with this inquiry.â The FBI spokesperson said that âunfortunately, we do not have a comment.â A DOJ spokesperson said they “don’t have anything to share with you on this at this time.â A spokesperson for the Cybersecurity and Infrastructure Security Agency said that âwe do not have a comment on attribution.â And the Office of the Director of National Intelligence did not respond to a request for comment.
In April, the Biden administration attributed the massive SolarWinds cyberattack to Russiaâs Foreign Intelligence Service, also known as the SVR, and a fact sheet released by the White House said the U.S. was âformally namingâ the SVR âas the perpetrator of the broad-scope cyber espionage campaign that exploited the SolarWinds Orion platform and other information technology infrastructuresâ and that the intelligence community âhas high confidence in its assessment of attribution to the SVR.â Former Secretary of State Mike Pompeo and former Attorney General William Barr both said in December they believed the cybercampaign was likely carried out by Russia.
Biden said in May that the ransomware attack on the Colonial Pipeline by the DarkSide gang wasnât directed by the Kremlin but said the U.S. had “strong reason” to believe the criminals “are living in Russia.” The White House says it has been in “direct communication” with Moscow, though, calling on Vladimir Putin‘s government to take action against the ransomware attackers.
Ben Read, the director of analysis at Mandiant Threat Intelligence, which is part of the FireEye cybersecurity firm, told the Washington Examiner there had been âthree stagesâ of the Microsoft hack, arguing the first stage âwas kind of limited use by what Microsoft tracks as Hafnium â we think likely China,â while the second stage was âa more widespread use by additional different Chinese groups.â The third stage was when the vulnerability became âpublicly availableâ and was exploited by a yet-unknown number of other hacker groups.
âWith sort of the initial Hafnium stuff, I have no reason to doubt Microsoft, theyâre very good at what they do, their security team, and thereâs so much of it, and weâre aware that it was likely used by other actors as well, especially when the proof of concept go out there, so itâs not sort of a singular event that I can easily talk about as sort of one event, but in general, yes, the initial use and since follow-up stuff we saw we think is likely China,â Read said. âThe exploit was used, we believe, by multiple groups, so our analytic line is we have probably moderate confidence that at least some of the exploitation is linked to previously tracked groups we attribute to China.â
When describing how FireEye attributes hacks to China, he said: âWith these specific groups, they are groups we believe, at the very least, act in support of, sort of, PRC goals ⊠They appear to have significant funding because theyâre able to operate for an extended period of time, sort of with a large amount of operations with sophistication â it takes money to do that. And the information theyâre stealing is not easily monetizable, and in some cases, you have further forensic or pattern of life or other reasons, the belief that theyâre located in China, or things like that, they speak Chinese ⊠so the specific constellation is different for every group, but thatâs kind of the general we have, that middle phase, linked to China.â
Read said that Hafniumâs actions were âunusual for an espionage group because not every place is gonna have interesting information,â and yet, the hackers had pursued vulnerabilities against a host of individuals, small businesses, and other unusual espionage targets.
âYour mom-and-pop deli in Connecticut is just not gonna have a ton of information of interest to the Chinese government, but if they had a vulnerable exchange server, they got a web shell,” he said. “There are interesting questions as to why China chose to operate that way but not a whole lot of technical leads in explaining it.â
As for Hafnium, Read said: âAs Microsoft said, it was a new group to them, we donât have that stuff traced back historically, where we can sort of make a super confident attribution,â but âit matches the sort of general profile how the Chinese operate, some of the malware is familiar.â
John Hammond, a senior security researcher at the Huntress cybersecurity firm, was confident that China was behind the Microsoft hack.
âEvery effort that the cyber threat intelligence community has made does point to HAFNIUM being a Chinese group,â he told the Washington Examiner. âWhile some HAFNIUM operations were often carried out from a U.S.-based IP address, this is simply indirection: using a DigitalOcean virtual private server to appear as if the attacks come from elsewhere. We have seen communication to deployed China Chopper web shells from Chinese IP addresses, and further research with honeypots certainly received a lot of traffic from China. Nothing can be guaranteed as absolute proof â but seeing a trend of repeated indicators, it certainly makes for a confident claim.â
The FBI said in March it is âaware of Microsoftâs emergency patch for previously unknown vulnerabilities in Exchange Server software, attributed to the advanced persistent threat actor known by Microsoft as Hafnium.â But the bureau declined to comment when asked if this meant the FBI was also assessing if this was a Chinese operation.
Cybersecurity expert Brian Krebs reported in March that âat least 30,000 organizations across the United States â including a significant number of small businesses, towns, cities, and local governments â have over the past few days been hacked by an unusually aggressive Chinese cyber-espionage unit thatâs focused on stealing email from victim organizations.â
The Cybersecurity Huntress blog contended in March that âthe web shell that these threat actors are using is known as the âChina Chopperâ one-liner.â FireEye said in March that in a separate environment, it had seen the vulnerable Microsoft Exchange Server exploited by a threat actor that matched the China Chopper, which it says has âgrowing prevalence, especially among Chinese cybercriminals.â The cybersecurity firm Volexity appeared to first spot the hack, writing that it detected the âanomalous activityâ in January.
Anne Neuberger, the deputy national security adviser for cyber and emerging technology, said in April that the Biden administration was âstanding downâ its Unified Coordination Groups responding to the SolarWinds and Microsoft hacks but stressed the administration was taking a âwhole-of-government effortâ to deal with cyberattacks.
The Justice Department announced a âcourt-authorized operationâ by the FBI last month to copy and remove âmalicious web shellsâ from hundreds of U.S. computers in response to the massive cyberattacks against Microsoftâs Exchange Server.
