WASHINGTON — The Biden administration for the first time Monday accused the Chinese government of breaching Microsoft email systems used by many of the world’s largest companies, governments, and military contractors, as the United States rallied a broad group of allies to condemn Beijing for cyberattacks around the world.
Secretary of State Antony Blinken said China’s Ministry of State Security “has fostered an ecosystem of criminal contract hackers who carry out both state-sponsored activities and cybercrime for their own financial gain.”
The coalition of nations, which included the European Union and, for the first time, all NATO members, stopped short of punishing China, highlighting the challenges of confronting a nation with deep economic ties around the world. Europe has lucrative trade agreements with China and has been reluctant to publicly criticize the country in the past.
Most of the European nations accused Beijing of allowing hackers to operate from Chinese territory, but the U.S. and Britain — whose companies were hit hard in the Microsoft hacking — went a step further, pointing the finger directly at the Chinese government and detailing the relationship between Chinese intelligence and criminal hacking groups.
The diplomatic goal, U.S. officials have said, is to get China, Russia, and other players to agree to a set of guardrails for behavior — not arms control, which would be impossible to verify in a world of invisible, reproducible cyberweapons, but an accord on what kind of targets and behavior would be prohibited.
No sanctions were announced Monday against China, in sharp contrast to the penalties the White House imposed on Russia in April, when it blamed the country for the extensive SolarWinds attack that affected U.S. government agencies and more than 100 companies. White House officials appeared sensitive to the charges that they were treading more carefully with China because of its ability to retaliate.
“We are not holding back,” said Jen Psaki, the White House press secretary.
By imposing sanctions on Russia and organizing allies to condemn China, the Biden administration has delved deeper into a digital cold war with its two main geopolitical adversaries than at any time in modern history.
The coordinated announcements, and a related set of indictments of Chinese intelligence officers for stealing intellectual property and medical data, were meant to demonstrate that the West was making a concerted attack to push back, and not only on Chinese action directly related to the Microsoft breach.
Microsoft said in March that hackers it detected inside its Microsoft Exchange systems — servers that companies keep inside their own networks, running Microsoft software — were linked to the Chinese Ministry of State Security. Once inside the servers, the Chinese hackers had a free run of emails, other sensitive corporate data, and intellectual property. The White House called the attack “indiscriminate,” because rather than aim at a particular firm or set of data, it had access to tens of thousands of computers and networks around the world.
But Monday’s announcement was the first suggestion that the Chinese government had also hired or quietly condoned criminal groups to carry out the incursion.
In a statement, Liu Pengyu, the spokesperson for the Chinese Embassy, described the accusation from the U.S. and its allies as one of many “groundless attacks.”
“Now this is just another old trick, with nothing new in it,” Pengyu said.
Pengyu said it was the U.S. that had engaged in “large-scale, organized and indiscriminate cyber intrusion” of its own, citing the 2013 revelations by Edward J. Snowden, who released highly classified documents from inside the National Security Agency that set off a worldwide debate about government surveillance.
Those documents included evidence that the U.S. had broken into the computer systems of Huawei, the giant Chinese telecommunications firm that has been at the center of struggles between Beijing and the West.
The Microsoft systems are used by a broad range of customers, from small businesses to local and state governments and some military contractors. The hackers were able to steal emails and install malware to continue surveillance of their targets.
“We call on all states, including China, to uphold their international commitments and obligations and to act responsibly in the international system, including in cyberspace,” NATO said in a statement.
The Justice Department on Monday unsealed an indictment from May charging three Chinese officers with a campaign to hack computer systems of dozens of companies, universities, and government entities in the U.S. from 2011-18. That was well before the attack on Microsoft Exchange servers. The hackers developed front companies to hide any role the Chinese government had in backing the operation, according to the Department of Justice.
While there is nothing new about digital espionage from Russia and China — and efforts by Washington to block it — the Biden administration has been aggressive in calling out both countries and organizing a coordinated response.
But it has not found the right mix of defensive and offensive actions to create effective deterrence, many outside experts say. And the Russians and the Chinese have grown bolder. The SolarWinds attack, one of the most sophisticated detected in the U.S., was an effort by Russia’s lead intelligence service to alter code is widely used network-management software to gain access to more than 18,000 businesses, federal agencies, and think tanks.
China’s effort was not as sophisticated, but it took advantage of a vulnerability that Microsoft had not discovered and used it to conduct espionage and undercut confidence in the security of systems that companies use for their primary communications. It took the Biden administration months to develop what officials say is “high confidence” that the hacking of the Microsoft email system was done at the behest of the Ministry of State Security, a senior administration official said and abetted by private actors who had been hired by Chinese intelligence.
The last time China was caught in such broad-scale surveillance was in 2014, when it stole more than 22 million security-clearance files from the Office of Personnel Management, allowing a deep understanding of the lives of Americans who are cleared to keep the nation’s secrets.
President Joe Biden has promised to fortify the government, making cybersecurity a focus of his summit in Geneva with President Vladimir Putin of Russia last month. But his administration has faced questions about how it will also address the growing threat from China, particularly after the public exposure of the Microsoft hacking.
Speaking to reporters Sunday, a senior administration official acknowledged that the public condemnation of China would do only so much to prevent future attacks.
“No one action can change China’s behavior in cyberspace,” the official said. “And neither could just one country acting on its own.”
But the decision not to impose sanctions on China was telling. Given the depth of China’s economic interdependence with the United States, an escalation of sanctions and countersanctions would be easy for Beijing to develop. And there was a sense inside the Biden administration that in the Microsoft case, China was exploiting a vulnerability rather than creating a new one, as the Russians did in the SolarWinds attack.
Instead, the Biden administration settled on corralling enough allies to join the public denunciation of China to maximize pressure on Beijing to curtail the cyberattacks, the official said.
The joint statement criticizing China was issued by the U.S., Australia, Britain, Canada, the EU, Japan, and New Zealand. It was also the first such statement from NATO publicly targeting Beijing for cybercrimes.
The EU on Monday condemned “malicious cyber activities” undertaken from Chinese territory but stopped short of denouncing the responsibility of the Chinese government.
“This irresponsible and harmful behavior resulted in security risks and significant economic loss for our government institutions and private companies, and has shown significant spillover and systemic effects for our security, economy, and society at large,” Josep Borrell Fontelles, the EU’s foreign policy chief, said in a statement. “These activities can be linked to the hacker groups,” the statement added.
Borrell called on Chinese authorities not to allow “its territory to be used” for such activities, and to “take all appropriate measures and reasonably available and feasible steps to detect, investigate and address the situation.”
The National Security Agency, the FBI, and the Cybersecurity and Infrastructure Security Agency also issued an advisory Monday warning that Chinese hacking presented a “major threat” to the U.S. and its allies. China’s targets include “political, economic, military and educational institutions, as well as critical infrastructure.”
Criminal groups hired by the government aim to steal sensitive data, critical technologies, and intellectual property, according to the advisory.
(STORY CAN END HERE. OPTIONAL MATERIAL FOLLOWS.)
The FBI also took on an unusual role as it investigated the Microsoft hacking earlier this year. Ordinarily, it would get court orders to go into networks to look for evidence of criminal activity. This time it obtained an order that allowed it to actually remove pieces of malicious Chinese code, so that the hackers would not be able to get into the networks again, perhaps to sabotage the networks as well as steal data.
The bureau does not usually act to secure private American networks. But it was also a sign of a new government effort to disrupt the hacking groups, not just seek to prosecute them.
This article originally appeared in The New York Times.