The United States and its allies took the extraordinary step of attributing cyberattacks that exploited vulnerabilities in Microsoft’s Exchange Server to hackers affiliated with China’s Ministry of State Security.
In a separate action announced as part of the same statement, the U.S. Justice Department unsealed criminal charges against four people whom it identified as MSS hackers — accusing them of engaging in “a multiyear campaign targeting foreign governments and entities in key sectors, including maritime, aviation, defense, education, and healthcare in a least a dozen countries.”
That indictment lists among the targets of the attempted hacks “a Washington university with an Applied Physics Laboratory involved in maritime research and development.” GeekWire has contacted the University of Washington, which appears to uniquely fit that description, for further comment.
[Update: Cyberattacks targeting the University of Washington and other institutions were documented in a 2019 report by iDefense, as reported by the Wall Street Journal at the time.
Separately, the University of Washington confirmed that it is the institution referenced in the indictment.
“The University of Washington takes cybersecurity very seriously and is aware of phishing and hacking efforts here and at major research universities around the world,” said UW spokesperson Victor Balta via email. “The UW acts to block all reported phishing messages targeting UW credentials, and actively monitors for compromised accounts and disables them to help reduce malicious behavior as soon as they are identified.”]
Both actions are part of a broader attempt by the U.S. and its NATO allies to identify and curb what they describe as China’s “irresponsible state behavior.”
The attribution of the Exchange Server hacks builds on Microsoft’s identification of the hackers in March as the Chinese group Hafnium, which the company described at the time as a “highly skilled and sophisticated actor.”
The attributions made by the U.S. government and its allies Monday morning are “an important and positive step that will contribute to our collective security,” said Tom Burt, Microsoft’s corporate vice president, customer security and trust.
“Attributions like these will help the international community ensure those behind indiscriminate attacks are held accountable,” Burt said. “Transparency is critical if we’re to combat the rising cyberattacks we see across the planet against individuals, organizations and nations.”
The White House said in its statement, “Before Microsoft released its security updates, MSS-affiliated cyber operators exploited these vulnerabilities to compromise tens of thousands of computers and networks worldwide in a massive operation that resulted in significant remediation costs for its mostly private sector victims.”
It added, “We have raised our concerns about both this incident and the PRC’s broader malicious cyber activity with senior PRC Government officials, making clear that the PRC’s actions threaten security, confidence, and stability in cyberspace.”
The newly unsealed grand jury indictment against four alleged MSS affiliates was originally filed May 28 in the U.S. District Court for the Southern District of California.
The indictment alleges, “The object of the conspiracy was to install malware and hacking tools on protected computers and to leverage such malware and tools to commit unauthorized computer intrusions, all with the goal of stealing information of value from foreign governments, universities, and companies on behalf of the PRC and its instrumentalities, including state-owned enterprises in the railway and shipbuilding industries, and PRC state-sponsored and private sector biopharmaceutical and other companies.”
It refers to the targets of the hacks by pseudonyms, using the name “University G” for the Washington university with the maritime-oriented Applied Physics Lab.
As part of a multi-year effort to infiltrate computer systems, the indictment says the hackers in 2016 and 2017 sent targeted malicious emails, known as spear phishing attacks, to researchers and labs at institutions including University G, using email accounts the hackers had previously compromised.
An examination of spear phishing emails sent in December 2017 to University G and a Pennsylvania university (“University D”) revealed that the hackers had specific interest in “nanopore data used in virus research that University G had exclusively licensed to a private company,” according to the indictment.
The University of Washington in October 2013 announced that researchers led by UW physicist Jens Gundlach had developed “a nanopore sequencing technology capable of reading the sequence of a single DNA molecule,” and licensed the technology to San Diego-based Illumina Inc.
It is not clear from the indictment if the spear phishing attacks against “University G” were successful.