Official attribution of the Microsoft Exchange Server attacks: allies say it was China.
Monday morning the US, with the concurrence of the Four other Eyes, NATO, Japan, and the European Union, formally attributed an attack on Microsoft Exchange Server to China's Ministry of State Security. The attribution has long been expected. On May 2nd, Microsoft itself had attributed the incident to Hafnium, which it identified as a "state-sponsored threat actor" that "operates from China." NSA, CISA, and the FBI have issued a joint cybersecurity advisory this morning on behalf of the US Government that outlines the basis for the attribution, the tactics, techniques, and procedures the Ministry of State Security employed, and a range of suggested mitigations.
The incident's official attribution to China so far involves no new sanctions or other imposition of costs, the Washington Post reports. Some officials suggest the attribution should set expectations of nation-state behavior in cyberspace.
Reuters reports that among the governments calling out China for cyberespionage is Norway's, which on Monday publicly attributed a March 10 attack on the parliamentary email system to Beijing. This official attribution has been expected for some time; Chinese intelligence services have been the leading suspect in this incident since early in their investigation. Norway made its attribution in connection with the general accusation by more than thirty nations that China had been engaged in widespread and damaging cyberattacks.
ANSSI, France's national cybersecurity agency, warned at midweek that APT31 (also known as Zirconium and Judgment Panda, a Chinese industrial espionage group), is hijacking home routers to lend resilience to its attack infrastructure.