[BreachExchange] UK, US confirm Chinese state backed MS Exchange Server attacks

Mon Jul 19 13:45:10 EDT 2021

https://www.computerweekly.com/news/252504168/UK-US-confirm-Chinese-state-backed-MS-Exchange-Server-attacks

The UK and US governments, alongside allies and partners including the
European Union (EU) and Nato, have confirmed today that a group of Chinese
state-backed malicious actors known as Hafnium were responsible for gaining
illicit access to multiple target networks via vulnerabilities in
on-premise versions of Microsoft Exchange Server.

The Exchange attacks took place earlier this year and compromised thousands
of organisations around the world – at least 30,000 in the US alone –
probably to enable large-scale espionage, including obtaining personal data
and intellectual property.

In the UK, the National Cyber Security Centre (NCSC) said it has now
supported more than 70 victims, providing tailored advice and guidance to
help them navigate the aftermath of the attacks.

“The attack on Microsoft Exchange servers is another serious example of a
malicious act by Chinese state-backed actors in cyber space,” said NCSC
operations director Paul Chichester. “This kind of behaviour is completely
unacceptable, and alongside our partners, we will not hesitate to call it
out when we see it.

“It is vital that all organisations continue to promptly apply security
updates and report any suspected compromises to the NCSC via our website.”

Foreign secretary Dominic Raab added: “The cyber attack on Microsoft
Exchange Server by Chinese state-backed groups was a reckless but familiar
pattern of behaviour. The Chinese government must end this systematic cyber
sabotage and can expect to be held to account if it does not.”

The UK also today accused the Chinese Ministry of State Security (MSS) of
being behind the activity of groups referred to as APT40 and APT31, which
between them have targeted maritime and naval defence contractors, and
government bodies.

Raab accused Beijing of having repeatedly ignored calls to end this
campaign of activity, and said it was instead allowing these groups to ramp
up their activity, and act recklessly when caught.

He called on the Chinese government to take responsibility for its actions
and respect the democratic institutions, personal data and commercial
interests “of those with whom it seeks to partner”.

The UK is also calling on China to reaffirm previous commitments made to
the UK in 2015, and as part of the G20, not to conduct or support
cyber-enabled theft of intellectual property.

At the same time, the US Department of Justice (DoJ) has today charged four
members of APT40 of running a campaign of cyber attacks that targeted
private companies, universities and government bodies around the world
between 2011 and 2018.

The DoJ alleged that the defendants and conspirators at the Hainan State
Security Department (HSSD) sought to obfuscate their theft by establishing
a front company – Hainan Xiandun – operating out of the city of Haikou in
Hainan, an island province lying off China’s south coast, about 300 miles
east of Hong Kong.

The indictment names Ding Xiaoyang, Cheng Qingmin and Zhu Yunmin as HSSD
officers responsible for coordinating, facilitating and managing an
intrusion team made up of technical specialists and linguists at Hainan
Xiandun. It also names Wu Shurong as a supervisor who, as part of his job
duties at the front company, accessed computer systems operated by foreign
governments, companies and universities, and oversaw others on the payroll.

They are also accused of working with staff and professors at universities
in Hainan and elsewhere in China to further the campaign’s goals. The
universities supposedly provided material assistance to the MSS in
identifying and recruiting people to penetrate and steal from target
networks.

The campaign is known to have had victims in Austria, Cambodia, Canada,
Germany, Indonesia, Malaysia, Norway, Saudi Arabia, South Africa,
Switzerland, the UK and the US, with targeted verticals including aviation,
defence, education, government, healthcare, biopharmaceutical and maritime.

Some of the IP stolen included technology relating to submersible and
autonomous vehicles, chemical formulae, commercial aircraft servicing,
genetic sequencing tech, research on diseases including Ebola, HIV/AIDS and
MERS, and information that could have supported China’s efforts to secure
contracts for its state-owned enterprises in targeted countries.

“These criminal charges once again highlight that China continues to use
cyber-enabled attacks to steal what other countries make, in flagrant
disregard of its bilateral and multilateral commitments,” said US deputy
attorney general Lisa Monaco.

“The breadth and duration of China’s hacking campaigns, including these
efforts … remind us that no country or industry is safe. Today’s
international condemnation shows that the world wants fair rules, where
countries invest in innovation, not theft.”

APT40 supposedly accessed its victim networks via fraudulent spear-phishing
campaigns, backed by fictitious online profiles and lookalike domains
created to mimic the websites of legitimate companies and partners. In some
cases, the team also used hijacked credentials to target others at the same
organisation.

The campaign also used multiple strains of malware to expand their reach
and maintain their presence within their victim networks, including
BADFLICK or GreenCrash, PHOTO or Derusbi, MURKYTOP or mt.exe, and HOMEFRY
or dp.dll. The malware was most often accessed, and the intrusion
infrastructure managed, through anonymiser services such as Tor, while
stolen data was stored on GitHub, concealed using steganographic
techniques. The conspirators also exploited Dropbox API keys to make it
seem that their data exfiltration was an insider legitimately using Dropbox.

More details of the group’s work, including technical details, indicators
of compromise and mitigation advice, can be found in a newly published CISA
advisory.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210719/176bf3a6/attachment.html>