Biden administration blames China for massive Microsoft email software hack

A monitor sits on a desk; laptops line another table.
A Microsoft computer on display at a store in suburban Boston.
(Steven Senne / Associated Press)

The Biden administration and Western allies formally blamed China on Monday for a massive hack of Microsoft Exchange email server software and accused Beijing of working with criminal hackers in ransomware attacks and other cyber operations.

The announcements, though not accompanied by sanctions against the Chinese government, were intended as a forceful condemnation of activities that a senior Biden administration official described as part of a “pattern of irresponsible behavior in cyberspace.” They highlight the ongoing threat from Chinese government hackers even as the administration remains consumed with trying to curb ransomware attacks from Russian-based syndicates that have targeted critical infrastructure.

The broad range of cyber threats from Beijing disclosed Monday included ransomware attacks from government-affiliated hackers that have targeted victims — including in the U.S. — with demands for millions of dollars. U.S. officials allege that China’s Ministry of State Security has been using criminal contract hackers who have engaged in cyber extortion schemes and theft for their own profit, officials said.


Unlike in April, when public finger-pointing at Russian hacking was paired with a raft of sanctions against Moscow, the Biden administration did not announce any actions against Beijing. Nonetheless, a senior administration official who briefed reporters said that the U.S. had confronted senior Chinese officials and that the White House regarded the multi-nation public shaming as sending an important message.

Meanwhile, the Justice Department on Monday announced charges against four Chinese nationals who prosecutors said were working with the Ministry of State Security in a hacking campaign that targeted dozens of computer systems, including companies, universities and government entities. The defendants are accused of stealing trade secrets and confidential business information.

The European Union and Britain also pointed the finger at China. The EU said malicious cyber activities with “significant effects” that targeted government institutions, political organizations and key industries in the bloc’s 27 member states could be linked to Chinese hacking groups. Britain’s National Cyber Security Center said the groups targeted maritime industries and naval defense contractors in the U.S. and Europe and the Finnish parliament.

A large-scale cyber-spying campaign blamed on China might have given hackers access to the networks of critical U.S. companies and agencies.

June 15, 2021

In a statement, the EU’s foreign policy chief, Josep Borrell, said the hacking was “conducted from the territory of China for the purpose of intellectual property theft and espionage.”

The Microsoft Exchange cyberattack “by Chinese state-backed groups was a reckless but familiar pattern of behavior,” British Foreign Secretary Dominic Raab said.


NATO, in its first public condemnation of China for hacking activities, called on Beijing to uphold its international commitments and obligations “and to act responsibly in the international system, including in cyberspace.” The alliance said it was determined to “actively deter, defend against and counter the full spectrum of cyber-threats.”

That hackers affiliated with the Chinese Ministry of State Security carried out a ransomware attack was surprising and concerning to the U.S. government, the senior Biden administration official said. But the attack, in which an unidentified American company received a high-dollar ransom demand, also gave U.S. officials new insight into what the official said was “the kind of aggressive behavior that we’re seeing coming out of China.”

Equifax, like most large U.S. companies, failed to encrypt the databases that store some of the most sensitive details of people’s lives.

Feb. 10, 2020

The majority of the most damaging and high-profile recent ransomware attacks have involved Russian criminal gangs. Though the U.S. has sometimes seen connections between Russian intelligence agencies and individual hackers, the use of criminal contract hackers by the Chinese government “to conduct unsanctioned cyber operations globally is distinct,” the official said.

The Microsoft Exchange hack was first identified in January and was rapidly attributed to Chinese cyber spies by private-sector groups. An administration official said the government’s attribution of the operation to hackers affiliated with China’s Ministry of State Security took until now in part because of the discovery of the ransomware and for-profit hacking operations and because the administration wanted to pair the announcement with guidance for businesses about tactics that the Chinese had been using.

An advisory Monday from the FBI, the National Security Agency and the Cybersecurity and Infrastructure Security Agency laid out specific techniques and ways that government agencies and businesses could protect themselves.

The White House also wanted to line up an international coalition of allies to call out China, according to the official, who said it was the first time NATO had condemned Beijing’s hacking operations.

A Chinese Foreign Ministry spokesperson, asked about the Microsoft Exchange hack, previously said that China “firmly opposes and combats cyberattacks and cyber theft in all forms” and cautioned that attribution of cyberattacks should be based on evidence and not “groundless accusations.”