The nations will share intelligence on cyberthreats, and collaborate on network defenses and security.

Edward Gately, Senior News Editor

July 19, 2021

5 Min Read
businessman pointing finger

The Biden administration and Western allies are blaming China for the massive cyberattack earlier this year on Microsoft Exchange servers.

A new joint effort by NATO members, the European Union, Australia, New Zealand and Japan called out and confronted the threat posed by Chinese state-sponsored cyberattacks. The nations will share intelligence on cyberthreats, and collaborate on network defenses and security.

“The United States is deeply concerned that the People’s Republic of China (PRC) has fostered an intelligence enterprise that includes contract hackers who also conduct unsanctioned cyber operations worldwide, including for their own personal profit,” the White House said. “As detailed in public charging documents unsealed in October 2018, and July and September 2020, hackers with a history of working for the PRC Ministry of State Security (MSS) have engaged in ransomware attacks, cyber-enabled extortion, cryptojacking and rank theft from victims around the world, all for financial gain.”

Massive Worldwide Impact

The China hackers targeted on-premises Microsoft Exchange business email software globally. Before Microsoft released its security updates, MSS-affiliated cyber operators exploited Exchange vulnerabilities, the White House said. The hackers compromised tens of thousands of computers and networks worldwide. It resulted in significant remediation costs for its mostly private-sector victims.

Microsoft attributed the attack to HAFNIUM, a group considered to be state-sponsored and operating out of China.

In addition, the U.S. Department of Justice (DoJ) announced criminal charges against four MSS hackers addressing activities concerning a multiyear campaign targeting foreign governments and entities in key sectors. Those include maritime, aviation, defense, education and health care in a least a dozen countries.

DoJ documents outline how MSS hackers pursued the theft of Ebola virus vaccine research. It demonstrates China’s theft of intellectual property, trade secrets and confidential business information extends to critical public health information.

The FBI, National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) have issued a new advisory. It lists 50 tactics, techniques and procedures (TTPs) that Chinese state-sponsored hackers employ.

Real-Time Data ‘Extremely Useful’ to Prevent Attacks

Mark Ostrowski Is Check Point Software Technologies‘ head of engineering.


Check Point Software’s Mark Ostrowski

“CISA and FBI have done an admirable job informing public and private sectors of TTPs of known indicators of compromise (IOCs) of this incident and others,” he said. “Further alerts of real-time data are extremely useful and can be consumed in real time by U.S. organizations for prevention.”

More communication and collaboration between the public and private sectors will increase information sharing and prevention, Ostrowski said. This will make a difference as long as the recipients of the data can take action immediately.

“Organizations need to build and maintain a security framework that allows for real-time digestion of threat intel data for prevention purposes, and also maintain a platform for threat hunting to look into their infrastructures for these malicious campaigns,” he said. “Ongoing ‘care and feeding’ of security infrastructure is also of highest importance. Any depreciated or vulnerable services will be exploited as a means of malicious entry.”

No End in Sight to Malicious Activity

Hackers will likely continue their activity moving forward, Ostrowski said.

“Also, organizations need to consider that these activities originate globally due to the nature of cloud computing and existing malicious networks controlled by threat actors,” he said.


Sophos’ Mark Loman

Mark Loman is director of engineering at Sophos.

“It has been a few months since attackers exploited the HAFNIUM-related bugs in Exchange to deploy ransomware, like DearCry and Black Kingdom,” he said. “In general, to protect themselves, ransomware operators typically operate from the dark web, or via one or more compromised servers hosted in countries other than the physical location of the attackers. This makes attack attribution hard, but not impossible.”

Jerry Ray is COO of SecureAge.


SecureAge’s Jerry Ray

“Multiple countries and organizations like NATO taking a stand against a frequent or notorious perpetrator of cyber crimes certainly helps with attribution, which is agonizingly difficult with cybercrime,” he said. “The more that countries can share with others the anatomy and function of attack signatures within their borders, the better they can collectively prevent them in the future while also comparing notes that could lead to identification of suspects. Beyond that, however, a verbal or written scolding by one victimized nation or several will likely result in multiple, louder denials instead of one from China or other suspected state actors.”

Blame Without Penalties Won’t Lessen Attacks

It’s always beneficial for countries to cooperate and share cyber crime knowledge, Ray said. However, blaming China without penalties or similar action will not lessen the ferocity and frequency of attacks from that country or others.

“Most assuredly, attacks from China or any other country will neither cease nor slow down,” he said. “The rewards of IP theft, fraud, monetary crimes and cyber espionage in sum far exceeds the cost and have become a competitive advantage in international trade. Most critically, technical means to obfuscate the origin, ultimate purpose or vector of cyberattacks almost always leaves room for plausible deniability, while the option of pinning cyber crimes on non-state actors, such as hacking groups or crime syndicates, provides the ultimate rejection of any state-sponsored action.”

Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn.

Read more about:


About the Author(s)

Edward Gately

Senior News Editor, Channel Futures

As news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like