In a rare coordinated action on Monday, the United States, Britain, and the European Union condemned Beijing over its exploitation of Microsoft Exchange servers.
The U.S. and Britain have also attributed broader attacks to China’s civilian intelligence service, the Ministry of State Security. In a very telling example of its deference to Beijing, the EU only attributed the Microsoft Exchange attack to actors located on Chinese soil. Still, China’s aggression and ambition here are defining. The Microsoft Exchange attack makes Russia’s recent SolarWinds intrusion look like a polite request for classified information in comparison.
Addressing China’s broader cyber-espionage campaign, the Department of Justice says that the MSS successfully stole information related to “sensitive technologies used for submersibles and autonomous vehicles, specialty chemical formulas, commercial aircraft servicing, proprietary genetic-sequencing technology and data, and foreign information to support China’s efforts to secure contracts for state-owned enterprises within the targeted country (e.g., large-scale high-speed railway development projects).”
The British government says that the Microsoft Exchange attack affected 30,000 corporations in the U.S. and many more globally. Britain also says the attack “was highly likely to enable large-scale espionage, including acquiring personally identifiable information and intellectual property.”
There’s quite a bit to unpack here.
For a start, like its colleagues in the People’s Liberation Army cyber cadres, it’s clear that the MSS has wide operational latitude to conduct highly aggressive cyberintrusions. What makes the specific Microsoft Exchange attack stand out from others is its global ambition and its utter disregard for collapsing security safeguards upon which global interactions rely. Microsoft servers handle a lot of data from a lot of people and businesses in a lot of places. But China was happy to act in such a way as to make that data vulnerable to the follow-on intrusions of other hostile actors. Once again, we see Beijing’s disdain for fundamental precepts of the international order. Governments would do well to observe this truth as they consider what to do about more overt sides of the Chinese security apparatus (such as Huawei).
The MSS’s targeting priorities are also noteworthy. Drones, undersea vehicles, advanced chemicals, and commercial aircraft parts are all areas in which China lags behind the U.S. and relies upon U.S. exports. Beijing’s interest in securing information related to these areas thus indicates its desire to undermine U.S. advantages. The interest in drones and undersea vehicles is of particular note. After all, those two areas would bear significant relevance in a prospective conflict with the U.S.
The British observation of MSS interest in “personally identifiable information” is also key. This reflects the familiar Chinese espionage interest in gathering information that might then be used to target and recruit human spies. Chinese hackers have previously shown interest in accessing credit ratings, for example. Such personal information is useful in guiding the MSS human recruiters who to approach. And the MSS has a more impressive record at human recruitment than is commonly understood.
As a final point, we should note the distinct absence of any overt sanctions on China for this activity. That’s a big problem. The Chinese intelligence and security apparatus is highly ideological, designed, and employed toward highly aggressive, ambitious activity. Beijing bears little to no concern for norms or negative externalities in conducting its activities. So unless the international community is willing to put a price tag on attacks such as this one, Xi Jinping will have no reason not to keep doing what he’s doing. Xi will only laugh at the four indictments the Justice Department has now issued.
It’s time to get a little more serious about Chinese espionage.
Correction: An earlier version of this article implied that the MSS cyber activity and the specific Microsoft Exchange hack were one and the same. In fact, the U.S. and British governments have drawn distinctions between the specific Microsoft Exchange hack and the broader MSS activity. The Washington Examiner regrets the error.
