In a coordinated announcement, the White House and governments in Europe and Asia will identify China’s Ministry of State Security, the sprawling and secretive civilian intelligence agency, with using “criminal contract hackers” to conduct a range of destabilizing activities around the world for personal profit, according to a senior US administration official.
The administration official also said China was behind a specific ransomware attack against a US target that involved a “large ransom request” — and added that Chinese ransom demands have been in the “millions of dollars.”
“What we found really surprising and new here was the use of criminal contract hackers to conduct this unsanctioned cyber operation and really the criminal activity for financial gain. That was really eye-opening and surprising for us,” a senior administration official said on Sunday ahead of the announcement.
Still, while American officials have raised concerns with the Chinese about the behavior, the US is stopping short of applying new punishment on Beijing as part of Monday’s announcement. The official said the US was “not ruling out further actions to hold (China) accountable.”
Unlike many of the attacks emanating from Russia, however, the attempts from China to extort money or demand ransoms have closer links to the government, according to administration officials.
Those activities include “cyber-enabled extortion, crypto-jacking and theft from victims around the world for financial gain,” an official said, along with ransomware attacks against companies demanding millions of dollars.
The official said at least one American company had been targeted for a “large” ransom by hackers working in association with the Chinese intelligence service but declined to provide further details.
The attack “really raised concerns for us with regard to the behavior and, frankly, with regard to the fact that individuals related to the MSS conducted it,” the official said.
Microsoft publicly linked the hack of its Exchange email service to China in March. It said four vulnerabilities in its software allowed hackers to access servers for the popular email and calendar service, and both the company and the White House advised users to immediately update their on-premises systems with software fixes.
The official said the US government wanted to assure it had high confidence in its assessment before formally attributing the hack to China. But officials also wanted to combine the announcement with details of China’s other activities, along with information like malware signatures and other indicators of compromise that would be useful for other companies at risk of being breached.
On Monday, the United States will also publish more than 50 “tactics and procedures” Chinese state-sponsored cyber hackers utilize when targeting US networks in the hopes of making vulnerable entities more prepared. The list will also include “technical mitigations to confront this threat,” the official said.
In addition to the United States, the other countries included in the Five Eyes intelligence sharing collective — the United Kingdom, Australia, New Zealand and Canada — will make similar announcements accusing China of engaging in “irresponsible and destabilizing behavior in cyberspace.”
Japan and the European Union will also join the announcement, as will NATO, which is the first time the defense bloc will publicly condemn China’s cyber activities.
Monday’s announcement is an extension of those efforts, officials said, singling out cyber-threats as another area of concern for the global community alongside human rights and maritime aggressions.
The official said China’s cyber-activity “poses a major threat to the US and allies’ economic and national security” and framed it as “inconsistent with (China’s) stated objectives of being seen as a responsible leader in the world.”
US blames China for hacks, opening new front in cyber offensive