After Confronting Russia, Biden Accuses China of Running Cyber Criminal Ops Against U.S.

After confronting Russian President Vladimir Putin on cybersecurity at their summit last month, U.S. President Joe Biden is rallying allies to accuse China of sponsoring cybercriminal activity across the globe.

A senior Biden administration official outlined the campaign in press call with reporters late Sunday, saying that “the United States has long been concerned about the People’s Republic of China’s irresponsible and destabilizing behavior in cyberspace.”

“The PRC’s pattern of irresponsible behavior in cyberspace is inconsistent with its stated objective of being seen as a responsible leader in the world,” the official said.

The official highlighted three points for the action plan to be unveiled Monday.

First, it would include “an unprecedented group of allies and partners—including the European Union, the United Kingdom, Australia, Canada, New Zealand, Japan, and NATO,” all alleging that China’s Ministry of State Security “uses criminal contract hackers to conduct unsanctioned cyber operations globally, including for their own personal profit.”

“Their operations include criminal activities, such as cyber-enabled extortion, crypto-jacking, and theft from victims around the world for financial gain,” the official said. “In some cases, we’re aware of reports that PRC government-affiliated cyber operators have conducted ransomware operations against private companies that have included ransom demands of millions of dollars.”

Secondly, the National Security Agency, Cybersecurity and Infrastructure Security Agency, and Federal Bureau of Investigation (FBI) would issue a joint advisory that “will expose over 50 tactics, techniques, and procedures Chinese state-sponsored cyber actors used when targeting U.S. and allied networks, along with advice for technical mitigations to confront this threat,” the official said.

The 31-page advisory, obtained by Newsweek, goes into detail about observed activity attributed to China and the hackers its been accused of hiring, arguing that “Chinese state-sponsored cyber actors aggressively target U.S. and allied political, economic, military, educational, and critical infrastructure (CI) personnel and organizations to steal sensitive data, critical and emerging key technologies, intellectual property, and personally identifiable information (PII).”

The third point mentioned by the senior administration on Sunday’s call marked the most direct step yet.

“The United States government, alongside our allies and partners, will formally attribute the malicious cyber campaign utilizing the zero-day vulnerabilities in the Microsoft Exchange Server disclosed in March—a number of months ago—to malicious cyber actors affiliated with the MSS with high confidence,” according to the official.

The attack reportedly affected up to 30,000 servers in the U.S. alone, with thousands more victims abroad.

Hours after the call, on Monday morning, in Department of Justice released a statement regarding an unsealed San Diego federal grand jury indictment charging three individuals—Ding Xiaoyang, Cheng Qingmin and Zhu Yunmin—with “coordinating, facilitating and managing computer hackers and linguists at Hainan Xiandun and other MSS front companies to conduct hacking for the benefit of China and its state-owned and sponsored instrumentalities.”

The targets were said to include those beyond the U.S. and extend also to Austria, Cambodia, Canada, Germany, Indonesia, Malaysia, Norway, Saudi Arabia, South Africa, Switzerland and the United Kingdom. Sectors allegedly affected included aviation, defense, education, government, health care, biopharmaceutical and maritime.

“These criminal charges once again highlight that China continues to use cyber-enabled attacks to steal what other countries make, in flagrant disregard of its bilateral and multilateral commitments,” Deputy Attorney General Lisa O. Monaco said in an accompanying statement. “The breadth and duration of China’s hacking campaigns, including these efforts targeting a dozen countries across sectors ranging from healthcare and biomedical research to aviation and defense, remind us that no country or industry is safe. Today’s international condemnation shows that the world wants fair rules, where countries invest in innovation, not theft.”

FBI Deputy Director Paul M. Abbate said the Bureau “will not allow the Chinese government to continue to use these tactics to obtain unfair economic advantage for its companies and commercial sectors through criminal intrusion and theft,” while Acting U.S. Attorney Randy Grossman for the Southern District of California argued such actions “threaten our economy and national security.”

This language was echoed in a statement by Secretary of State Antony Blinken, who referenced both the indictments and the U.S.-led effort to attribute the Microsoft Exchange Server attack to China.

“Apart from the PRC’s direct commitments not to engage in cyber-enabled theft of intellectual property for commercial gain, the international community has laid out clear expectations and guidelines for what constitutes responsible behavior in cyberspace,” Blinken said. “Responsible states do not indiscriminately compromise global network security nor knowingly harbor cyber criminals – let alone sponsor or collaborate with them.”

The White House also released a fact sheet containing specific measures undertaken by the Biden administration to shore up national cybersecurity, including a five-point plan to fund “state-of-the-art endpoint security, improving logging practices, moving to a secure cloud environment, upgrading security operations centers, and deploying multi-factor authentication and encryption technologies,” as well as an executive order to shore up cybersecurity and other initiatives.

“By exposing the PRC’s malicious activity, we are continuing the Administration’s efforts to inform and empower system owners and operators to act,” the fact sheet said. “We call on private sector companies to follow the Federal government’s lead and take ambitious measures to augment and align cybersecurity investments with the goal of minimizing future incidents.”

A statement then released by NATO did not go as far as to accuse China of orchestrating the Microsoft Exchange Server attack, but did “acknowledge” that member states Canada, the U.S. and U.K. had done so.

“In line with our recent Brussels Summit Communiqué, we call on all States, including China, to uphold their international commitments and obligations and to act responsibly in the international system, including in cyberspace,” the statement said. “We also reiterate our willingness to maintain a constructive dialogue with China based on our interests, on areas of relevance to the Alliance such as cyber threats, and on common challenges.”

The U.S. has previously accused Russia of both conducting state-backed cyberattacks, including through the military’s Main Directorate, or GU, sometimes still referred to by its former name, GRU, and of tolerating criminal cyber collectives within its territory. In March, Biden slapped a new round of sanctions on Moscow in response to last year’s massive SolarWinds hack and has called on Putin to take action against Russian hackers.

The Kremlin has repeatedly rejected any notions of collusion with cyber collectives and has signaled a willingness to crack down on such behavior in the interest of bilateral cooperation on cyber issues.

The senior administration official on Sunday contrasted the behavior U.S. officials have observed coming from Russia and China.

“On the Russian side,” the official said, “we sometimes see individuals moonlighting. And we see, you know, some connections between Russian intelligence services and individuals, but this kind of—the MSS use of criminal contract hackers to conduct unsanctioned cyber operations globally is distinct.”

The official called the alleged Chinese government tactics “really eye-opening and surprising for us.”

Washington views both Beijing and Moscow as two of its top global competitors, but the latter has increasingly become the focus of U.S. foreign policy efforts to maintain dominance in various fields, including cyber.

Chinese officials have routinely denied any wrongdoing in the cyber realm and have instead accused the U.S. of engaging in global espionage campaigns.

Late last month, Chinese permanent representative to the United Nations Zhang Jun called for international unity in approaching cybersecurity during a U.N. General Assembly debate.

“In cyberspace, countries not only enjoy shared opportunities and common interests, but also face common challenges and assume shared responsibilities,” Zhang was cited as saying at the time by the Chinese Foreign Ministry. “They are increasingly becoming a community with a shared future through weal and woe. The international community should work together in a joint effort to protect cyber security and maintain international peace.”

He said world powers “should promote security through the maintenance of peace and prevent cyberspace from becoming a new battlefield.”