US, EU, UK, NATO blame china for "reckless" Exchange attacks

US, EU, UK, NATO blame china for “reckless” Exchange attacks

Do you remember back when the latest urgent update was a vulnerability in Microsoft Exchange? How is that only four months ago? The trigger for the urgent advice in March was the fact that Microsoft detected multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. Microsoft attributed the attacks to a group they have dubbed Hafnium.

Hafnium at the time was a newly identified attack group that was also thought to be responsible for attacks on internet-facing servers, and which was known for exfiltrating data to file sharing sites. Its targets were mainly entities in the United States across a number of industry sectors. Despite the group’s use of leased servers in the US, Microsoft believed it was based in China.

The attack method used against the Exchange servers was called ProxyLogon. ProxyLogon quickly went from “limited and targeted attacks” to a full-size panic. Microsoft’s patches for the Exchange vulnerabilities were quickly reverse engineered. Before long attackers from everywhere in the world and every level of cybercrime were using the bugs to access vulnerable servers before establishing web shells to gain persistence and steal information.


As most security researchers will tell you, attribution is hard, especially when it involves international espionage. Nonetheless, the US, UK, EU, and NATO have simultaneously voiced their concern about what they say is the People’s Republic of China’s (PRC) irresponsible and destabilizing behavior in cyberspace.

Australia, Japan, New Zealand and Canada have also joined the coalition that are exposing further details of the PRC’s pattern of malicious cyber activity and taking further action to counter it. One of the elements of the exposure is to confirm that Chinese state-backed actors were responsible for gaining access to computer networks around the world using ProxyLogon attacks against Microsoft Exchange servers.

The US Department of Justice also announced criminal charges against four hackers from the Chinese Ministry of State Security, the country’s unofficial espionage institution (the same organization that the UK named as the culprit behind the cyberattacks on Microsoft Exchange servers that took place earlier this year). The indictments against Ding Xiaoyang, Cheng Qingmin, Zhu Yunmin and Wu Shurong are believed to be a part of this broader set of actions the federal government took to expose cybercrimes the White House officials say are sponsored and encouraged by the Chinese government.

The allies are also attributing the Chinese Ministry of State Security as being behind activity known by cyber security experts as “APT40” and “APT31”. It is rare to see such a unified and orchestrated reprimand against one of the world’s leading economies, but so far that seems to be as far as it goes. We have not seen any sanctions to be announced.


The EU has urged China to adhere to the “norms of responsible state behaviour as endorsed by all UN member states”, and not allow its territory to be used for malicious cyber-activities, and “take all appropriate measures and reasonably available and feasible steps to detect, investigate and address the situation”.

The UK is calling on China to “reaffirm the commitment made to the UK in 2015 and as part of the G20 not to conduct or support cyber-enabled theft of intellectual property of trade secrets.”

When asked about the Microsoft hack, Joe Biden said one reason the US has not imposed sanctions against China over the cyberattacks is that the Chinese government, not unlike the Russian government, is not doing this themselves, but are protecting those who are doing it and maybe even accommodating them being able to do it.

In the past the EU imposed its first-ever sanctions in response to cyberattacks in July 2020, targeting Russian, Chinese and North Korean hackers involved in major incidents in previous years, namely the NotPetya ransomware outbreak, Cloud Hopper supply-chain hack, and WannaCry ransomware attack. In October 2020, it imposed sanctions on two Russian intelligence officers and a unit of the GRU military intelligence services over their involvement in hacking the German parliament in 2015.

From state-sponsored to free-for-all

As we have seen with ProxyLogon, the impact of this type of state-sponsored cybercrime aren’t limited to states. Techniques used by state actors have a way of getting picked up by cybercriminals that will grab every opportunity to make a few extra bitcoins.

Just look at EternalBlue and the other SMB vulnerabilities – developed as NSA hacking tools – that came out of The Shadow Brokers leak. These vulnerabilities were quickly picked up by threat actors like  Emotet and TrickBot. EternalBlue was also the driving power behind WannaCry.

Observed tactics and techniques

The NSA, CISA, and FBI also issued a joint advisory containing more than 50 tactics, techniques, and procedures (TTPs) that Chinese state-sponsored cyber actors have used in attacks targeting the US and allied networks.


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.