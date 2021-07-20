A hack of the Microsoft Exchange email server software compromised tens of thousands of computers around the world earlier this year. Photo: AP Photo/Ng Han Guan

THE United States, European Union, Nato and other world powers yesterday accused the Chinese government of a broad array of malicious cyber activities, blaming its Ministry of State Security and affiliated criminals for a sophisticated attack on Microsoft’s widely used email server software earlier this year.

The condemnations represent the first time Nato, a 30-nation alliance, has denounced alleged Chinese cyber attacks following the Biden administration’s pledge in June to rally US allies against Beijing’s malign behaviour. The number of nations involved amounts to the largest condemnation of China’s cyber aggressions to date, US officials said.

The joint statements stopped short, however, of punishing China for its alleged actions, exposing the challenge of confronting the world’s second largest economy by an alliance with deep business ties there.

China’s “pattern of irresponsible behaviour in cyberspace is inconsistent with its stated objective of being seen as a responsible leader in the world,” said the White House in a statement yesterday.

This is the first time Washington and US allies have assigned blame for the Microsoft Exchange hack, which compromised more than 100,000 servers worldwide. Microsoft alleged in March that its Exchange servers were compromised by a Beijing-backed hacking group that exploited unknown flaws in the software.

The US and its allies are seeking to put forward a common cyber approach with allies and lay down “clear expectations on how responsible nations behave in cyberspace”, said a senior administration official. Concerns have been raised with senior Chinese officials about the Microsoft incident and broader malicious cyber activity, “making clear that [China’s] actions threaten security, confidence, and stability in cyberspace”.

Affixing blame but failing to impose a consequence will not deter future activity, said some analysts.

“The lack of any sanctions by the US government against Chinese cyber threat actors is a huge problem that transcends four administrations,” said Dmitri Alperovitch, chairman of Silverado Policy Accelerator, a think tank. He noted that the EU, which has lagged the United States in publicly attributing cyber attacks to foreign governments, last year imposed the first-ever cyber sanctions against two Chinese nationals and a Chinese company for a supply-chain hack known as Cloudhopper.

“We need to stop treating China as if they have a special immunity to being held accountable, and we need to act in parity as we have with the other major malicious cyber actors, including Russia,” Mr Alperovitch said.

The Biden administration is “not ruling out further action to hold [China] accountable,” said the senior administration official. “We’re also aware that no one action can change behaviour, and neither can one country acting on its own,” the official added. “So we really focused initially in bringing other countries along with us.”

The allies and partners are also condemning Beijing for working with criminal hacker groups involved in ransomware attacks, including at least one effort to extort a US company for millions of dollars, said the official.



The EU denounced “malicious cyber activities” emanating from China, saying the actions are “in contradiction with the norms of responsible state behaviour”.





