Brian Sims
Editor

UK holds Chinese state responsible for “pervasive pattern” of hacking

Posted to News on Monday, July 19, 2021 Share:

THE UK has revealed that Chinese state-backed actors are believed to have been responsible for gaining access to computer networks around the world via Microsoft Exchange servers. The National Cyber Security Centre – which is a part of GCHQ – has assessed it to be highly likely that a group known as HAFNIUM, which is associated with the Chinese state, was responsible for the activity.

The attacks took place in early 2021. Open source reporting indicates that at least 30,000 organisations have been compromised in the US alone, with many more affected worldwide. As part of a cross-Government response, the NCSC issued tailored advice to over 70 affected organisations, enabling them to mitigate the effects of the compromise.

Paul Chichester, director of operations at the NCSC, observed: “The attack on Microsoft Exchange servers is another serious example of a malicious act by Chinese state-backed actors in cyber space. This kind of behaviour is completely unacceptable and, alongside our partners, we will not hesitate to call it out when we see it. It is vital that all organisations continue to promptly apply security updates and report any suspected compromises to the NCSC via our website.”

The NCSC recommends following vendor Best Practice advice in the mitigation of vulnerabilities. Any organisations which have yet to install security updates released for Microsoft Exchange servers should do so now. More information can be found on Microsoft’s website.

The attack on Microsoft Exchange software was highly likely to enable large-scale espionage, including acquiring personally identifiable information and Intellectual Property. It is the most significant and widespread cyber intrusion against the UK and its allies uncovered to date.

The UK is also attributing the Chinese Ministry of State Security as being behind activity known in open source as APT40 and APT31. Activity relating to APT40 included the targeting of maritime industries and naval defence contractors in the US and Europe and, for APT31, the targeting of Government entities (including the Finnish Parliament) in 2020.

Shared intelligence

David Carroll, managing director at Nominet Cyber, said: “Until now, we have seen relatively few large-scale, co-ordinated and state-sponsored attacks, perhaps due to an acceptance that countries have mutual vulnerability. There is evidence to suggest that this is changing, however, not least from this latest accusation against the Chinese Government for targeting Microsoft Exchange servers. The second accusation of its kind, with the previous one being in 2018 regarding the theft of trade secrets.”

Carroll continued: “In readying Government cyber security teams to respond to global threats, we must not be blinkered by what is happening on our own soil, but instead seek to share intelligence so that we can collectively eliminate risk. Co-ordinated cross-country response will enable us to quickly identify attackers, call out malicious intent and more effectively mitigate worldwide attacks.”

In conclusion, Carroll observed: “The best means of preventing harm at scale from these types of cyber attacks is to combine collective intelligence with Government intervention. With an adversary indiscriminately compromising so many servers and this now becoming a ‘familiar pattern of behaviour’, we need to deploy our own technologies that enact protection at scale.”

Consistency on show

Ben Read, director of analysis for Mandiant Threat Intelligence, explained: “The statements issued by multiple Governments naming the People’s Republic of China as being responsible for the widespread exploitation of Microsoft Exchange servers earlier this year is consistent with Mandiant’s previous findings. The links between APT40 and the Chinese Ministry of State Security operating out of Hainan Island is also consistent with technical evidence that Mandiant has previously identified showing that operators were likely located there.”

Further, Read went on to comment: “The indictment highlights the significant threat to multiple businesses from Chinese espionage. The group’s focus on biomedical research shows that emerging technologies are still a key target for Chinese espionage. Alongside that, the theft of negotiating strategies underscores the risk posed to all companies doing business with China, not just those with high value Intellectual Property.”

Read concluded: “APT40 and APT31 are only two of the many groups operating in support of the People’s Republic of China. We fully expect these groups to continue to pose a threat to Governments and private sectors around the world.”

Company Info

WBM

64 High Street, RH19 3DE
East Grinstead
RH19 3DE
UNITED KINGDOM

04478 18 574309

Related Topics
computers
cyber
hacking
networks
security
Related Articles
Latest Webinars
Biometric access control: are fingerprint cards the future?
Biometric access control: are fingerprint cards the future?
Bandweaver signposts webinar on optical fiber for perimeter security
Video Surveillance: Exploring New Horizons
Perimeter Intruder Detection Solutions
Related Resources
SentriGuard Key Safe Attack Test by BRE
SentriGuard, a new-generation key management solution
Security Matters Podcast – Episode 30 now live to view
Latest News
Multi-agency law enforcement operation infiltrates ‘LabHost’ fraud platform
Secured Environments status awarded to Paternoster Square
Terrorgram added to list of proscribed terrorist organisations

Login / Sign up