USA, EU and allies accuse China of attacks on Microsoft Exchange Server


The USA, EU states and NATO allies denounce cyber attacks that are said to have been carried out from Chinese territory. The alliance accuses China of “malicious cyber activities”, such as the attacks on Microsoft Exchange Server since the beginning of 2021. While the US government and the UK accuse the Chinese Ministry of State Security of employing hackers, the EU only speaks of the Attacks have almost certainly been carried out from Chinese territory.

Allianz does it together the two hacker groups ATP40 and APT31 were responsible for the attackswho spied for China and allegedly stole intellectual property. The groups were hired by the Ministry of State Security, it says from the White House, but also worked on their own account. In addition to attacks on Microsoft Exchange Server, they are also accused of ransomware attacks, cyber extortion and cryptojacking.

According to the White House, a total damage of several billion US dollars is said to have occurred. US government agencies have documented the attacks in detail. The more than 50 techniques and procedures used in the attacks are recorded in a 30-page document and are likely to be presented to the public.

The cyber criminals were hired to investigate companies and authorities in the United States and other countries, is the allegation. To do this, they exploited several security gaps in Microsoft Exchange servers to gain access to the servers and the ongoing communication such as e-mails, but also address books, appointment calendars and so on, in order to be able to read and manipulate them. They also used the loopholes as an entry point for further attacks on government and company networks.

The targeted attacks (Advanced Persistent Threat (APT)), exploiting initially unknown security gaps, began in early January 2021 after the security company Volexity discovered the first, isolated attacks on Exchange. Before Microsoft was able to fill the gaps, the attacks were intensified at the end of February and broadened in order to attack as many systems as possible and to be able to provide a back door. After Microsoft released Exchange patches in early March, the attacks intensified. Apparently, the attackers wanted to give many systems a back door as quickly as possible before the gaps were closed.

The attacks hit authorities, arms companies, research institutions researching Covid-19 and other companies in the USA. More than 100,000 Exchange servers are said to be affected in the USA, and several tens of thousands in Germany. The Federal Office for Information Security (BSI) assumed in March that all systems that were not secured were infected with a back door. Other Exchange servers in other countries were also compromised. It should be worldwide according to the UK Foreign Office and the National Cyber ​​Security Center trade more than a quarter of a million servers.

According to an analysis by Microsoft, the attacks were attributed to the state-affiliated Chinese hafnium group in March. At the G7 summit in Great Britain and at the NATO summit in Brussels, US President Joe Biden urged the allies to act together against such attacks. As a result of these efforts, calls to China have emerged to prevent further cyberattacks from their national territory. The US complains that China’s behavior is in contradiction to public declarations that such attacks will not be carried out.

At first it seems to stick with public denunciation. Financial sanctions such as those imposed by the US on Russia in the case of the SolarWinds hack were not imposed. Obviously, the alliance states are striving for an amicable solution with China. The US has already spoken to representatives of the Chinese government about it. An official statement from China is still pending.

However, the US Department of Justice wants to bring charges against four Chinese suspected cybercriminals. They are said to have illegally gained access to numerous computer systems in the United States, including university and government computers, to steal information between 2011 and 2018. In addition, they are said to have stolen instructions for the manufacture of a vaccine against Ebola from a pharmaceutical company. The four suspects have been linked to the Chinese Ministry of State Security.