A particularly aggressive hacking campaign was recently linked to actors protected by the Chinese state. They are deploying ransomware through a zero-day vulnerability in Microsoft SharePoint software. What makes this campaign particularly worrisome is the level of concern that it’s generated in the cybersecurity community and federal government. It is an existential threat to potentially every organization, particularly those in the public sector.
The hacking campaign takes advantage of a vulnerability that Microsoft didn’t fix before it was under active attack. Self-hosted Microsoft Exchange email servers are vulnerable. These servers were recently exploited by China-nexus hacking groups during a mass-hacking event in early 2021. Experts say that other state and non-state actors, including those backed by the Chinese government, are already taking advantage of this vulnerability.
Charles Carmakal, chief technology officer at Google’s incident response unit Mandiant, dropped a notable truth bomb. He pointed out that at least one of the people behind this exploit is tied to a hacking collective connected to China’s People’s Liberation Army. His statement shines a bright light on the continuing confusion and denial at the highest levels as to how serious a threat these cyber actors constitute.
The Chinese government has repeatedly denied accusations of its role in these cyberattacks. It has not always been as clear or directly pushing back on allegations about what the military is doing in cyberspace. Liu Pengyu, spokesperson for the Chinese Embassy in Washington, D.C., stated that China “firmly opposes and combats all forms of cyber attacks and cyber crime — a position that is consistent and clear.” This response comes as China’s aggressive activities in the emerging field of cybersecurity have come under increasing focus.
Dozens of organizations, including municipalities and public health departments have reportedly been affected by this ransomware campaign. This reality highlights the need for better cybersecurity protections, and more importantly, increased awareness and caution among users and organizations that utilize Microsoft products.
This latest Chinese attribution comes in the wake of several other hacking incidents over the past few weeks that point to Chinese actors. Cybersecurity experts are urgently working to understand the extent and ramifications of these compromises. Mandiant is at the forefront of addressing the threat.