20 Jul 2021

NZ in 'position of vulnerability' over China hacking accusations

12:48 pm on 20 July 2021

New Zealand has put itself in a vulnerable position by joining other Western allies and Japan in accusing China of state-sponsored cyber attacks, an intelligence analyst says.

Hands on laptop writing code or using computer virus program for cyber attack

The Chinese Ministry of State Security (MSS) has been accused of wider espionage activity and a broader pattern of "reckless" behaviour. Photo: 123rf

New Zealand has joined the US, UK, the EU, Britain, Australia, Japan and Canada in publicly calling out Beijing for hacking.

In statements overnight they have accused China of the major cyber attack on Microsoft Exchange servers earlier this year, affecting at least 30,000 organisations globally.

Western security services believe it signalled a shift from a targeted espionage campaign to a smash-and-grab raid, leading to concerns Chinese cyber-behaviour is escalating.

The Chinese Ministry of State Security (MSS) has also been accused of wider espionage activity and a broader pattern of "reckless" behaviour. China has previously denied allegations of hacking and says it opposes all forms of cyber-crime.

The New Zealand government said it had uncovered evidence of links between Chinese state-sponsored actors known as Advanced Persistent Threat 40 (APT40) and malicious cyber activity in New Zealand.

"The GCSB has worked through a robust technical attribution process in relation to this activity," Minister responsible for the Government Communications Security Bureau Andrew Little said.

"New Zealand is today joining other countries in strongly condemning this malicious activity undertaken by the Chinese Ministry of State Security (MSS) - both in New Zealand, and globally."

Foreign policy watchers in New Zealand have called the position remarkable, significant, and unusually firm.

But the statement stands alone. Little's spokesperson said it was complete, and the minister has declined interviews today.

The Chinese Embassy in New Zealand described the government's claim as "groundless and irresponsible".

In a statement, an embassy spokesperson said it was is strongly dissatisfied and had lodged "solemn representation" with the New Zealand government.

Intelligence analyst Paul Buchanan said intelligence reports had already accused Chinese hackers of involvement in exploiting the Microsoft vulnerability, but the confrontation had escalated.

"Prior to this, Chinese state sponsored hackers operating under the guise of the Ministry of State Security did targeted espionage, targeted hacking - stealing things but not asking for ransoms.

"They were looking at military targets, diplomatic targets, economic targets.

"Here, this was what has been characterised as a ram raid attack, a smash and grab attack, where state-sponsored hackers shared the vulnerability of Microsoft Exchange with criminal organisations," Buchanan told RNZ's Morning Report.

"This has been a trend that the Russians have exploited, where criminals and state agents overlap and one shares information with the other for their mutual benefit.

"That obviously has ratcheted up the confrontation between signals intelligence agencies in the West and the Chinese, and this response overnight is clear proof of that."

Read more:

'Cold War mentality' - Chinese Embassy response

In its statement, the embassy in New Zealand said: "China expresses strong dissatisfaction and firm opposition and has already lodged solemn representation with the New Zealand government".

"The Chinese government is a staunch defender of cybersecurity and firmly opposes and fights all forms of cyber attacks and crimes in accordance with law. Given the virtual nature of cyberspace, one must have clear evidence when investigating and identifying cyber-related incidents."

It said making accusations without proof was "malicious smear".

The statement said cybersecurity was a challenge faced by all countries and China always advocated that countries strengthened dialogue and cooperation on the basis of mutual respect, equality and mutual benefit, and addressed the challenge together.

"We urge the New Zealand side to abandon the Cold War mentality, adopt a professional and responsible attitude when dealing with cyber incidents, and work with others to jointly tackle the challenge through dialogue and cooperation,rather than manipulating political issues under the pretext of cybersecurity and mudslinging at others."

'Targeted attack became mass pile-in'

Western intelligence officials say aspects of the attack on Microsoft Exchange services are markedly more serious than anything they have seen before, BBC Security correspondent Gordon Corera reports.

It began in January when hackers from a Chinese-linked group known as Hafnium began exploiting a vulnerability in Microsoft Exchange. They used the vulnerability to insert backdoors into systems which they could return to later.

The UK said the attack was likely to enable large-scale espionage, including the acquisition of personal information and intellectual property.

It was mainly carried out against specific systems which aligned with Hafnium's previous targets, such as defence contractors, think tanks and universities.

"We believe that cyber-operators working under the control of Chinese intelligence learned about the Microsoft vulnerability in early January, and were racing to exploit the vulnerability before [it] was widely identified in the public domain," a security source told the BBC.

If this had been all, it would have been just another espionage operation. But in late February something significant changed. The targeted attack became a mass pile-in when other China-based groups began to exploit the vulnerability. The targets scaled up to encompass key industries and governments worldwide.

It had turned from targeted espionage to a massive smash-and-grab raid.

Western security sources believe Hafnium obtained advance knowledge that Microsoft intended to patch or close the vulnerability, and so shared it with other China-based groups to maximise the benefit before it became obsolete.

It was the recklessness of the decision to spread the vulnerability that helped drive the decision to call out the Chinese publicly, officials say.

Microsoft went public about the vulnerability on 2 March and offered a patch to close it. At this point, more hackers around the world had realised its value and piled in.

Around a quarter of a million systems globally were left exposed - often small or medium-sized businesses and organisations - and at least 30,000 were compromised.

NZ in 'position of vulnerability'

Buchanan said New Zealand had put itself in a position of vulnerability by joining the international condemnation.

"Apparently New Zealand and its partners quietly approached the Chinese and asked them to back off and to change their behaviour. They did the quiet diplomacy that New Zealand is so well known for, and that did not work. Apparently the attacks are persisting.

"All of the partners involved in this public announcement, Nato, the EU, Japan, the other Five Eyes partners, are less vulnerable than New Zealand is to particularly Chinese economic retaliation.

"New Zealand has stuck its neck out here, but I think at some point the actions of states in this domain become intolerable. Clearly the limits of toleration have been reached, even for a small state vulnerable state like New Zealand."

US charges Chinese nationals

The US formally attributed intrusions such as the one that affected servers running Microsoft Exchange earlier this year to hackers affiliated with China's Ministry of State Security. Microsoft had already blamed China.

US officials said the scope and scale of hacking attributed to China has surprised them, along with China's use of "criminal contract hackers."

The US Department of Justice has charged four Chinese nationals - three security officials and one contract hacker - with targeting dozens of companies, universities and government agencies in the United States and abroad.

While a flurry of statements from Western powers represent a broad alliance, cyber experts said the lack of consequences for China beyond the US indictment was conspicuous. Just a month ago, summit statements by G7 and Nato warned China and said it posed threats to the international order.

Adam Segal, a cybersecurity expert at the Council on Foreign Relations in New York, told Reuters the announcement was a "successful effort to get friends and allies to attribute the action to Beijing, but not very useful without any concrete follow-up."

- RNZ / BBC / Reuters

Get the RNZ app

for ad-free news and current affairs