This morning the US, with the concurrence of the other Five Eyes, NATO, Japan, and the European Union, formally attributed an attack on Microsoft Exchange Server to China's Ministry of State Security. The attribution has long been expected. On May 2nd Microsoft itself had attributed the incident to Hafnium, which it identified as a "state-sponsored threat actor" that "operates from China." NSA, CISA, and the FBI have issued a joint cybersecurity advisory this morning on behalf of the US Government that outlines the basis for the attribution, the tactics, techniques, and procedures the Ministry of State Security employed, and a range of suggested mitigations.
The incident's official attribution to China so far involves no new sanctions or other imposition of costs, the Washington Post reports. Some officials suggest the attribution should set expectations of nation-state behavior in cyberspace.
The US Commerce Department's Bureau of Industry and Security has added six Russian organizations to the Entities List. Placement on the Entities List restricts named persons' or organizations' ability to trade with the US.
Forbidden Stories' Pegasus Project yesterday published the results of a long-running, collaborative investigation of NSO Group. From a leaked list of over fifty-thousand phone numbers "NSO clients selected for surveillance," investigators determined that one-hundred-eighty journalists in at least five countries were targeted. NSO's government clients involved in the surveillance include Bahrain, Morocco, Saudi Arabia, India, Mexico, Hungary, Azerbaijan, Togo, and Rwanda. NSO disputes allegations of involvement, but will investigate the "disturbing" possibility of abuse, the Washington Post says.