Australia has joined strategic allies including the UK, US, and European Union in blaming China for its involvement in the Microsoft Exchange Server vulnerabilities found earlier this year.

In a joint statement from the Ministers for Home Affairs, Foreign Affairs, and Defence, the government issued its pointed statement against China‘s Ministry of State Security for developing exploits that could have targeted thousands of Australian organisations.

“These actions have undermined international stability and security by opening the door to a range of other actors, including cybercriminals, who continue to exploit this vulnerability for illicit gain,” the statement read.

“The Australian Government is also seriously concerned about reports from our international partners that China’s Ministry of State Security is engaging contract hackers who have carried out cyber-enabled intellectual property theft for personal gain and to provide commercial advantage to the Chinese Government.

“Australia calls on all countries – including China – to act responsibly in cyberspace.”

The government in pointing the finger at China months after Microsoft said, in its March announcement, that a group of Chinese hackers named ‘Hafnium’ was behind the exploit.

The Microsoft Exchange Vulnerabilities were so potentially severe that the US Federal Bureau of Investigation began secretly hacking into vulnerable servers and removing web shells Hafnium planted during its original campaign.

The government is following the lead of US intelligence agencies which published an advisory on Monday local time about the tactics, techniques, and procedures (TTPs) commonly used in Chinese state-sponsored cyber attacks.

Included in the advisory is a series of potential behaviours attributed to Chinese state-sponsored cyber attacks published so security teams can mitigate against any intrusions.

“These actors aggressively target political, economic, military, educational, and critical infrastructure personnel and organisations to access valuable, sensitive data,” the US intelligence agencies said.

“These cyber operations support China’s long-term economic and military objectives.

“One significant tactic detailed in the advisory includes the exploitation of public vulnerabilities within days of their public disclosure, often in major applications, such as Pulse Secure, Apache, F5 Big-IP, and Microsoft products.”

Chinese state media site the Global Times offered a rebuke of the accusations saying they are “a huge lie” conjured up by Washington “to frame China”.

“The US is stirring up new geopolitical disputes by turning cyber frictions into major conflicts among countries,” the Global Times said in an editorial.

“It tries to constantly frame up new accusations on China together with its allies, making China a symbol of the world's ‘darkness’.”

Global bad actors

China wasn’t the only nation mentioned in the joint statement from Australia’s foreign affairs, intelligence, and defence ministers who said the country had, since 2017, “attributed malicious cyber activity to North Korea, Russia, China and Iran”.

Notably, 2017 was the year the WannaCry ransomware began terrorising unsuspecting Windows systems around the world.

But that ransomware was developed thanks to the irresponsibility of the US National Security Agency (NSA) which had developed and actively used an exploit for Windows called EternalBlue without disclosing it to Microsoft.

Only when the exploit was stolen did the NSA tell Microsoft – around five years after it had begun using the malicious software for its own spying operations.

While intelligence agencies and cyber security firms have routinely blamed the likes of Russia, North Korea, China, and Iran for aggressive cyber campaigns targeting COVID-19 vaccine developers, intellectual property, the World Health Organisation, and even the Tokyo Olympics, the US and its allies have similarly run offensive operations against targets reflecting their own geopolitical interests.

The US and Israel were behind the Stuxnet worm which they allegedly used to sabotage Iranian nuclear facilities.

And Australian hackers joined the US to disrupt the media network used by the Islamic State in 2016 – a story it was only willing to tell two years ago.

More recently, the FBI said it was “relentless” and used “all technical means” to gain control of the bitcoin wallets to store ransom money from the Colonial Pipeline attack which likely belonged to hackers in Eastern Europe.