China was blamed for the Microsoft Exchange hack, but the consequences might end there

Australia has joined a US-led coalition of countries blaming China for orchestrating a massive hack of the Microsoft Exchange mail server back in January. 

The hack exposed tens of thousands of organisations across the world and allowed both Chinese security agencies — as well as criminal groups allegedly working with them — to access vast troves of valuable data and intellectual property.  

So why did the United States and its friends and allies decide to pin the attack on China? What are the risks for Australia? And will there be any actual consequences for Beijing? 

Who joined in?

Only a small number of developed, wealthy countries — all US friends or allies — actually directly attributed the Microsoft Exchange cyber attack to China. 

The US, Australia, New Zealand, Japan, Canada and the United Kingdom all said Chinese state security agencies were behind the hack.

The 27 member states of the European Union also joined in — but hedged their bet. 

The EU certainly denounced the attack in strong language, calling the attack “irresponsible and harmful behaviour” that “resulted in security risks and significant economic loss for our government institutions and private companies”.

A man's head with the stars of the EU flag in the background.
European Union High Representative for Foreign Affairs Josep Borrell joined in blaming China for cyber attacks, but stopped short of pointing the finger at the Chinese government itself.(

Reuters: Yves Herman, file photo


But it did not directly blame the Chinese government, instead saying its members “assess these malicious cyber activities to have been undertaken from the territory of China”.

Cyber security expert Bart Hoogeveen from the Australian Strategic Policy Institute (ASPI) said the carefully worded EU statement showed there were clear divisions in the bloc, with some members “not prepared to go as far” as the US.

“This places the EU between Five Eyes countries (the US, the UK, Canada, Australia and New Zealand) and other countries in Asia and other parts of Europe, which are not willing to attribute at all,” he told the ABC. 

Why coordinate the blame?

The logic here is simple. 

If you move in a pack, then not only does your argument carry more force, it’s also harder for Beijing to single out individual states for retribution. 

And the wide attribution, whether direct or indirect, shows the scale of the attack and the damage done. 

Mr Hoogeveen said like-minded states worried about the attacks emanating from China were increasingly trying to “form a bloc” as they pressed Beijing to stop. 

“We’ve seen this approach maturing over the last few years— hardly any countries are attributing alone,” he said.

Security officers sit at the National People's Congress in Beijing
The decision to accuse China as a bloc makes it harder for the state to retaliate.(

Reuters: Damir Sagolj


“It’s pretty significant as a show of collaboration among like-minded countries. It is also significant that after several international cyber agreements (signed by China) this is the first major event where the discrepancy between what is being said and done is being exposed.” 

How did the cyber attack hurt Australia?

A woman in a formal red dress stands in front of a lectern, with blue curtains behind her.
Home Affairs Minister Karen Andrews said Australia would continue to call out China over its hacking campaigns.(

ABC News: Andrew Kennedy


Australia was hardly the main target in January — the Microsoft Exchange hack was vast.

The Australian government estimates around 30,000 businesses and other organisations were hit, across a wide array of countries. 

Home Affairs Minister Karen Andrews said the Australian Cyber Security Centre (ACSC) “identified targeting and compromises of Australian organisations as part of this malicious activity”.

She said the compromise primarily affected businesses and organisations, rather than individuals, and no ransoms were paid to any hackers. 

But she wouldn’t say if those organisations were aware of the hack, whether they lost valuable information or intellectual property, or whether they struggled to function in the aftermath. 

“There were a range of things that happened. It was a significant data breach and access was enabled to these systems so that they could be commandeered and controlled from outside the organisation,” Ms Andrews said.

The ACSC has provided a little more detail, saying it had helped “over 70 organisations” deal with the hack.

“Malicious cyber actors targeted and successfully compromised Australian organisations who had not patched their exchange servers against this vulnerability. The ACSC saw exfiltration of data and the deployment of malware,” an ACSC spokesperson said.

“The ACSC estimates that at least 10,000 Australian-based servers were potentially vulnerable to the Microsoft Exchange vulnerability.”

They said several sectors were exposed, including federal and state governments entities, local councils, the IT and media sectors, healthcare and social assistance providers, and professional services.

So what is the point of blaming China?

Will the decision to name and shame the Chinese government stop it from launching or enabling these sort of cyber-attacks? Probably not. 

Ms Andrews said the collective attribution would cause “significant reputational damage” to China’s government. 

But Mr Hoogeveen said Beijing simply might not care — or judge reputational cost a small price to pay.

“No-one is under the illusion that the Chinese government or the (criminal) actors here will change their tactics or operations because of this,” he told the ABC. 

But, by corralling allies, the US is conducting a “campaign of mounting pressure” on Beijing to encourage it to curb its activities over time, he said. 

“This is also the art of diplomacy in terms of trying to build a norm. If you have a large-enough group of states drawing this line, it becomes a de facto global norm or rule,” he said. 

There’s also an element of psychology at play, he said. By attributing the attack, the US and its allies are engaging in signalling, and making it clear to Chinese authorities they have the capacity to trace attacks like this. 

Meanwhile, China has denied responsibility.

Will there be any actual consequences for China?

For now, the problems for China end there.

When the United States attributed the SolarWinds hack to Russia earlier this year, it also hit the country with a range of punishments, expelling 10 diplomats and hitting several regime figures with financial sanctions.

It also placed new restrictions on Russia’s sovereign debt in an effort to make it harder for Moscow to trade new debt and raise funds to support its currency. 

Those sanctions were not just in response to the SolarWinds hack — they were also in retaliation for Russia’s attempts to meddle in US elections. 

So far, the Microsoft hack hasn’t brought similar sanctions.

Mr Hoogeveen said the US seems to be keeping its options open, building a case the Biden Administration might use to justify stronger actions in future.

But for now, words are much louder than deeds.

Source link

Sign up for our daily Cyber Security Analysis and Threat Intelligence news.