USA, EU, NATO, Microsoft & Co. Blame China for Hafnium Exchange Hack

Sicherheit (Pexels, allgemeine Nutzung)[German]At the end of February, beginning of March 2021, there was a massive attack on Microsoft Exchange Server (see Exchange server 0-day exploits are actively exploited), in which many thousands of instances were hacked worldwide. Even then, the attacks were attributed to the Chinese hacker group Hafnium. Now the US along with its allies (UK, NATA) as well as the EU are accusing China of being responsible for this attack. The U.S. has also identified four Chinese nationals as responsible. 


It was a massive cyber attack on Microsoft's on-premises Exchange Server that was already run before Microsoft could roll out appropriate patches to close the ProxyLogon vulnerability. As a result, numerous U.S. government agencies, companies and organizations were affected. But the mass hack also had consequences worldwide, with numerous Exchange instances compromised. The BSI revealed that six federal agencies, including the Federal Environmental Agency, were affected (see also Exchange ProxyLogon News: Patch status, new PoC and new findings (03/18/2021)).

Already at the beginning of the attacks, the Chinese hacker group Hafnium was blamed by Microsoft for these attacks. And since nothing works in China without the CP, the Chinese government was involved. It has taken a long time, but now the U.S. authorities seem to have enough evidence to specifically charge Chinese nationals and hold the Chinese government responsible for the attack.

Joint Statement of Concerns

The White House issued an official statement on July 19, 2021, entitled The United States, Joined by Allies and Partners, Attributes Malicious Cyber Activity and Irresponsible State Behavior to the People's Republic of China which is carried by the allies. NATO's statement can be found here, and similar statements have been issued by the European Union and other countries such as Australia, the UK, Canada, Japan and New Zealand. The contents of the statement summarized:

  • The statement: the cyberattack on Microsoft Exchange Server by Chinese state-backed groups was a reckless but well-known pattern of behavior.
  • The demand: the Chinese government must end this systematic cyber sabotage and can expect to be held accountable if it does not.

The attack almost certainly enabled large-scale espionage, including obtaining personal data and intellectual property. The attack arguably crossed a line where the U.S. coordinates with its allies on consequences.

Axion also summarizes this here. US-CERT-CISA has published a summary of the facts and various assistance here.

Strange restraint

NATO's statement, for example, says it is increasingly concerned that cyber threats to Alliance security are complex, destructive and coercive, and are becoming more common. It says this has recently been highlighted by ransomware incidents and other malicious cyber activities that target critical infrastructure and democratic institutions and exploit vulnerabilities in hardware and software supply chains.


NATO condemns such malicious cyber activities that aim to destabilize and damage Euro-Atlantic security and disrupt the daily lives of affected citizens. NATO expresses solidarity with all those affected by recent malicious cyber activities, including the compromise of Microsoft Exchange Server. Such malicious cyber activities undermine security, trust, and stability in the cyber space in the view of NATO and the rest of the stakeholders.

NATO notes the national statements by Allies such as Canada, the United Kingdom, and the United States attributing responsibility for the compromise of Microsoft Exchange Server to the People's Republic of China. In line with the recent Brussels Summit communiqué, NATO's statement calls on all nations, including China, to honor their international commitments and obligations and to act responsibly in the international system, including in cyberspace.

In doing so, NATO reaffirms our willingness to engage in constructive dialogue with China based on NATO's interests, on areas of concern to the Alliance, such as cyber threats, and on common challenges. What strikes reporters is U.S. President Biden's reticence on the China causa. While in the case of Russia, tough steps and sanctions were immediately taken, possibly amounting to cooperation by the Russian government with Western states, Joe Biden states:

My understanding is that the Chinese government, not unlike the Russian government, is not doing this themselves, but are protecting those who are doing it. And maybe even accommodating them being able to do it.

So there is no direct accusation of the Chinese government, but they are being blamed for the attacks. White House spokeswoman Jen Psaki was later asked at her daily briefing why Biden had not directly blamed the Chinese government in his response to a reporter's question. Their response was:

That was not the intention he was trying to project. He takes malicious cyber activity incredibly seriously. We are not holding back, we are not allowing any economic circumstance or consideration to prevent us from taking actions … Also we reserve the option to take additional action …

Reuters writes, that cyber experts are surprised that any consequences for China (beyond the U.S. indictment) are missing alongside the flood of statements from Western powers representing broad alliance, and find that striking. Just a month ago, the G7 and NATO summit warned China that cyber attacks posed a threat to the international order.

Adam Segal, a cybersecurity expert at the Council on Foreign Relations in New York, is quoted by Reuters as saying that Monday's announcement represented a "successful attempt to get friends and allies to attribute the action to Beijing, but not very useful without concrete follow-up."

Recently, the White House under President Joe Biden had offered a $10 million reward for clues leading to the identification of those behind ransomware attacks. AP published the details in this post.  

China rejects the allegations

A spokesman for the Chinese Embassy in Washington, Liu Pengyu, called the allegations against China "irresponsible." The Chinese government and relevant personnel never engage in cyber attacks or cyber theft," Reuters quoted Liu as saying.

Four Chinese indicted

From the U.S. Department of Justice (DOJ) comes this statement charging four Chinese nationals who are members of the APT40 hacker group and who work with the Ministry of State Security with a global computer intrusion campaign.  But the charges have nothing to do with the hafnium attacks; instead, they involve hacking into the computer systems of dozens of victim companies, universities and government agencies in the U.S. and abroad between 2011 and 2018. The Record rehashed the details in this article.

Similar articles
Exchange server 0-day exploits are actively exploited
Important notes from Microsoft regarding the Exchange server security update (March 2021)
Exchange Hack News – Test tools from Microsoft and others
Microsoft MSERT helps to scan Exchange Servers
Cyber attack on Exchange server of the European Banking Authority
Exchange hack: new patches and new findings
Exchange hack news: What's about risk? (April 1, 2021)
Exchange ProxyLogon News: Patch status, new PoC and new findings (03/18/2021)
Exchange Server: Remote Code Execution Vulnerability CVE-2020-16875
Exchange hack: new victims, new patches, new attacks
Update on ProxyLogon hafnium exchange issue (March 12, 2021)
Exchange: Hafnium hackers fails at Office 365

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *