The United States and other countries are accusing China’s Ministry of State Security of using criminal contract hackers to conduct unsanctioned cyber operations globally, from which the hackers personally profit.
The activities include ransomware operations against private companies that are forced to pay millions in ransom demands to regain access to their data, according to U.S. officials.
“The United States and countries around the world are holding the People’s Republic of China (PRC) accountable for its pattern of irresponsible, disruptive, and destabilizing behavior in cyberspace, which poses a major threat to our economic and national security, said a statement from U.S. Secretary of State Antony Blinken.
The United States, along with NATO, the European Union, the United Kingdom, Japan, Canada, Australia and New Zealand, on Monday specifically blamed China for the cyberattack in March that affected tens of thousands of organizations via Microsoft Exchange servers.
This was a type of zero-day hack where a vulnerability is known to software vendors, but they do not yet have a patch in place to fix the flaw.
“The U.S. government has raised its concerns about both this incident and China’s broader malicious cyber activity with senior Chinese government officials, making clear that these actions threaten security competence and stability in cyberspace,” a senior administration official told reporters on a call Sunday evening ahead of the announcement.
The use by China’s civilian intelligence agency of criminal contract hackers was “really eye-opening and surprising for us,” the official said.
Also significant is that the state security ministry is using those hackers to “conduct unsanctioned cyber operations globally, including for their own personal profit,” according to the senior U.S. official.
China has consistently denied being involved in such activities.
Lu Kang, a foreign ministry spokesman, was asked in mid-March about allegations made by four private security firms who were investigating ransomware attacks. The firms blamed an advanced threat group from China for the sophisticated network intrusions.
Lu replied that if such allegations were seriously made with reliable proof, then Beijing would take it seriously, but it did not have time to respond to “rumors and speculation.”
The details released Monday morning in Washington and in allied capitals are seen as an attempt to give China’s government the details it requested.
Specifically, the National Security Agency, the Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation, in a joint advisory issued Monday, said they “have observed increasingly sophisticated Chinese state-sponsored cyber activity targeting U.S. political, economic, military, educational, and CI (critical infrastructure) personnel and organizations.”
“This is really an unprecedented group of allies and partners holding China accountable,” the senior U.S. official said in the call with reporters.
The U.S. agencies said “Chinese state-sponsored cyber actors consistently scan target networks for critical and high vulnerabilities within days of the vulnerability’s public disclosure” and use “a full array of tactics and techniques to exploit computer networks of interest worldwide and to acquire sensitive intellectual property, economic, political and military information.”
The administration of U.S. President Joe Biden has been vocal about a series of ransomware and other attacks blamed on groups operating in Russia, but it has not directly linked those activities to the Russian government.
In a face-to-face meeting with Russian President Vladimir Putin in Geneva last month, Biden threatened to take action against Moscow if cyber criminals continued to operate inside Russia unhindered.