WASHINGTON -- The Biden administration and Western allies, including all NATO members, formally blamed China on Monday for a major hack of Microsoft Exchange email server software and asserted that criminal hackers associated with the Chinese government have carried out ransomware and other illicit cyberoperations.
China's "pattern of irresponsible behavior in cyberspace is inconsistent with its stated objective of being seen as a responsible leader in the world," the White House said in a statement Monday.
The announcements, though not accompanied by sanctions against the Chinese government, were intended as a forceful condemnation of the activities, highlighting the threat from Chinese hackers even as the administration remains consumed with trying to curb ransomware attacks from Russia-based syndicates that have targeted critical infrastructure.
The broad range of cyberthreats from Beijing disclosed Monday included a ransomware attack from government-affiliated hackers that has targeted victims -- including in the U.S. -- with demands for millions of dollars. U.S officials also alleged that criminal contract hackers associated with China's Ministry of State Security have engaged in cyberextortion schemes and theft for their own profit.
Meanwhile, the Justice Department on Monday announced charges against four Chinese nationals who prosecutors said were working with the State Security Ministry in a hacking campaign that targeted dozens of computer systems, including companies, universities and government entities. The defendants are accused of stealing trade secrets and confidential business information.
A spokesperson for the Chinese Embassy in Washington did not immediately return an email seeking comment. But a Chinese Foreign Ministry spokesperson has previously deflected blame for the hack of Microsoft Exchange -- email systems that companies maintain on their own, rather than putting them in the cloud -- saying that China "firmly opposes and combats cyberattacks and cybertheft in all forms" and cautioning that attribution of attacks should be based on evidence and not "groundless accusations."
Unlike in April, when public finger-pointing at Russian hacking was paired with a raft of sanctions against Moscow, the Biden administration did not announce any actions against Beijing. Nonetheless, a senior administration official who briefed reporters said the U.S. has confronted senior Chinese officials and that the White House regards the multination shaming as sending an important message.
But the decision not to impose sanctions on China was also telling: It was a step many allies would not agree to take.
President Joe Biden told reporters "the investigation's not finished," and White House press secretary Jen Psaki did not rule out consequences for China, saying, "This is not the conclusion of our efforts as it relates to cyberactivities with China or Russia."
Secretary of State Antony Blinken said in a statement Monday that China "has fostered an ecosystem of criminal contract hackers who carry out both state-sponsored activities and cybercrime for their own financial gain."
"These contract hackers cost governments and businesses billions of dollars in stolen intellectual property, ransom payments, and cybersecurity mitigation efforts, all while the [State Security Ministry] had them on its payroll," Blinken said.
Even without fresh sanctions, Monday's actions are likely to exacerbate tensions with China at a delicate time.
Just last week, the U.S. issued stark warnings against transactions with entities that operate in China's western Xinjiang region, where China is accused of repressing Uyghur Muslims and other minorities.
Then on Friday, the administration advised American firms of the deteriorating investment and commercial environment in Hong Kong, where China has been cracking down on democratic freedoms it had pledged to respect in the former British colony.
The European Union and Britain also called out China. The EU said malicious cyberactivities with "significant effects" that targeted government institutions, political organizations and key industries in the bloc's 27 member states could be linked to Chinese hacking groups. The U.K.'s National Cyber Security Centre said the groups targeted maritime industries and naval defense contractors in the U.S. and Europe and the Finnish parliament.
In a statement, EU foreign policy chief Josep Borrell said the hacking was "conducted from the territory of China for the purpose of intellectual property theft and espionage."
The Microsoft Exchange attack "by Chinese state-backed groups was a reckless but familiar pattern of behaviour," U.K. Foreign Secretary Dominic Raab said.
NATO, in its first public condemnation of China for hacking activities, called on Beijing to uphold its international commitments and obligations "and to act responsibly in the international system, including in cyberspace." The alliance said it was determined to "actively deter, defend against and counter the full spectrum of cyber threats."
Condemnation from NATO and the European Union is unusual, because most of their member countries have been deeply reluctant to publicly criticize China, a major trading partner. But even Germany, whose companies were hit hard by the hacking of Microsoft Exchange, cited the Chinese government for its work.
That hackers affiliated with the State Security Ministry were engaged in ransomware was surprising and concerning to the U.S. government, the senior administration official said. But the attack, in which an unidentified American company received a high-dollar ransom demand, also gave U.S. officials new insight into what the official said was "the kind of aggressive behavior that we're seeing coming out of China."
The majority of the most damaging and high-profile recent ransomware attacks have involved Russian criminal gangs. Though the U.S. has sometimes seen connections between Russian intelligence agencies and individual hackers, the use of criminal contract hackers by the Chinese government "to conduct unsanctioned cyberoperations globally is distinct," the official said.
Dmitri Alperovitch, former chief technology officer of the cybersecurity firm Crowdstrike, said the announcement makes clear that State Security Ministry contractors who for years have worked for the government and conducted operations on their behalf have over time decided -- either with the approval or the "blind eye of their bosses" -- to "start moonlighting and engaging in other activities that could put money in their pockets."
The Microsoft Exchange hack that months ago compromised tens of thousands of computers around the world was swiftly attributed to Chinese cyberspies by private-sector groups. An administration official said the government's attribution to hackers affiliated with the State Security Ministry took until now in part because of the discovery of the ransomware and for-profit hacking operations and because the administration wanted to pair the announcement with guidance for businesses about tactics that the Chinese have been using.
Given the scope of the attack, Alperovitch said it was "puzzling" that the U.S. avoided sanctions.
"They certainly deserve it, and at this point, it's becoming a glaring standout that we have not," he said.
He added, in a reference to a large Russian cyberespionage operation discovered last year, "There's no question that the Exchange hacks have been more reckless, more dangerous and more disruptive than anything the Russians have done in SolarWinds."
By imposing sanctions on Russia and organizing allies to condemn China, the Biden administration has delved deeper into a digital cold war with its two main geopolitical adversaries than at any time in modern history.
While there is nothing new about digital espionage from Russia and China -- and efforts by Washington to block it -- the Biden administration has been surprisingly aggressive in calling out both countries and organizing a coordinated response.
But so far, it has not yet found the right mix of defensive and offensive actions to create effective deterrence, most outside experts say. And both the Russians and the Chinese have grown bolder. The SolarWinds attack, one of the most sophisticated ever detected in the United States, was an effort by Russia's lead intelligence service to alter code in widely used network-management software to gain access to more than 18,000 businesses, federal agencies and think tanks.
China's effort was not as sophisticated, but it took advantage of a vulnerability that Microsoft had not discovered and used it to conduct espionage and undercut confidence in the security of systems that companies use for their primary communications. It took the Biden administration months to develop what officials say is "high confidence" that the hacking of the Microsoft email system was done at the behest of the State Security Ministry, the senior administration official said, and abetted by private actors who had been hired by Chinese intelligence.
Information for this article was contributed by Eric Tucker, Kelvin Chan, Matthew Lee and Alexandra Jaffe of The Associated Press; by Zolan Kanno-Youngs and David E. Sanger of The New York Times; and by John Hudson, Ellen Nakashima and Devlin Barrett of The Washington Post.