Background Press Call by Senior Administration Officials on Malicious Cyber Activity Attributable to the People’s Republic of China
JULY 19, 2021•PRESS BRIEFINGS
6:02 P.M. EDT
SENIOR ADMINISTRATION OFFICIAL: Hi, everyone. Thank you for joining us on a Sunday evening. So, we wanted to give you an embargoed preview of tomorrow’s announcement by the U.S. government and our allies and partners about the People’s Republic of China and malicious cyber activities.
This call is on background, attributable to a “senior administration official,” and the contents will be embargoed until 7:00 a.m. Eastern, tomorrow, Monday, July 19th. By joining this call, you are agreeing to these ground rules.
Just for your awareness and not for reporting, joining us today is [senior administration official]. With that, I’m going to turn it over to you.
SENIOR ADMINISTRATION OFFICIAL: Thank you so much. Good evening, everyone. And I echo [senior administration official]’s “thanks” for making Sunday, this evening, a work day, and for joining us this evening — particularly on a nice, summer day. Really, really appreciate your time, and I look forward to hearing your questions.
So, just kicking this off: The United States has long been concerned about the People’s Republic of China’s irresponsible and destabilizing behavior in cyberspace. Tomorrow, the U.S. and our allies and partners are exposing further details of the PRC’s pattern of malicious cyber activities and taking further action to counter it, as it poses a major threat to the U.S. and allies’ economic and national security.
The PRC’s pattern of irresponsible behavior in cyberspace is inconsistent with its stated objective of being seen as a responsible leader in the world.
Tomorrow, countries around the world are making it clear that concerns regarding the PRC’s malicious cyber activity is bringing them together to call out those activities, promote network defense and cybersecurity, and act to disrupt threats to our economies and national security.
So, specifically, for tomorrow, three things. First, an unprecedented group of allies and partners — including the European Union, the United Kingdom, Australia, Canada, New Zealand, Japan, and NATO — are joining the United States in exposing and criticizing the PRC’s Ministry of State Security’s malicious cyber activities. This is the first time NATO has condemned PRC cyber activities.
We will show how the PRC’s MSS — Ministry of State Security — uses criminal contract hackers to conduct unsanctioned cyber operations globally, including for their own personal profit. Their operations include criminal activities, such as cyber-enabled extortion, crypto-jacking, and theft from victims around the world for financial gain. In some cases, we’re aware of reports that PRC government-affiliated cyber operators have conducted ransomware operations against private companies that have included ransom demands of millions of dollars.
Second, the National Security Agency, Cybersecurity and Infrastructure Security Agency, and Federal Bureau of Investigation — NSA, CISA, and FBI — will expose over 50 tactics, techniques, and procedures Chinese state-sponsored cyber actors used when targeting U.S. and allied networks, along with advice for technical mitigations to confront this threat.
Third, the United States government, alongside our allies and partners, will formally attribute the malicious cyber campaign utilizing the zero-day vulnerabilities in the Microsoft Exchange Server disclosed in March — a number of months ago — to malicious cyber actors affiliated with the MSS with high confidence.
We’ve raised our concerns about both the Microsoft incident and the PRC’s broader malicious cyber activity with senior PRC government officials, making clear that the PRC’s actions threaten security, confidence, and stability in cyberspace. The U.S. and our allies and partners are not ruling out further actions to hold the PRC accountable.
No one action can change China’s behavior in cyberspace and neither can just one country acting on its own. Our allies and partners are a tremendous source of strength and a unique American advantage, and our collective approach to cyber threat information sharing, defense.
Hence, these efforts — our cooperation with the EU, NATO, and the Five Eyes countries in this effort — will allow us to enhance and increase information sharing, including cyber threat intel and network defense information with public and private stakeholders, and expand diplomatic engagement to strengthen our collective cyber resilience and security cooperation.
Moreover, tomorrow’s actions are an example of how we continue to build on the progress made from the President’s first foreign trip. From the G7 and EU commitments around ransomware, to NATO adopting a new cyber defense policy for the first time in seven years, we’re putting forward a common cyber approach with our allies and laying down clear expectations on how responsible nations behave in cyberspace.
And now let me just take a few minutes to talk about how the Biden administration continues to mitigate the impact of PRC’s malicious cyber activities and implement an ambitious plan to modernize U.S. cybersecurity defenses.
In order to protect the American people and interests, the U.S. government announced in April that it conducted cyber operations and pursued proactive network defense actions to prevent systems compromised through the Exchange Server vulnerabilities from being used for ransomware attacks or other malicious purposes.
The U.S. government also announced previously that we identified additional vulnerabilities in the Microsoft Exchange Server software and immediately shared them with the company to facilitate the development and release of patches to minimize systemic risk. The contrast between Chinese and U.S. behavior in this case is notable.
The United States announced and operated under a new model for cyber incident response by including private-sector entities in our Cyber Unified Coordination Group — the whole-of-government coordination group, run from the White House, established in response to a significant cyber incident — resulting in increased visibility and stronger public-private collaboration.
We continue to work with likeminded partners and allies to incentivize technological advancement, deploy trustworthy technologies, like open standards based secure 5G.
The Biden administration is committed to promoting an open, interoperable, reliable, and secure Internet that reflects our values of respect for privacy and civil liberties.
And as you all know, we’re working around the clock to modernize federal networks and improve the nation’s cybersecurity, including of critical infrastructure.
The administration has funded five cybersecurity modernization efforts across the federal government to modernize network defenses to meet the threat. These include state-of-the-art endpoint security, improving logging practices, moving to a secure cloud environment, upgrading security operations centers, and deploying multi-factor authentication and encryption technologies. The latter could be deployed fully within six months.
You will note, once you see the NSA, CISA, and FBI product, how many of the Chinese tactics, techniques, and procedures are addressed with these five cybersecurity modernization efforts.
The administration is implementing President Biden’s executive order to improve the nation’s cybersecurity and protect federal government networks.
As you know, the EO contains aggressive but achievable implementation milestones, and, to date, we have met every milestone on time. And I want to highlight four that are particularly meaningful to enduring cybersecurity improvements across both government and private sector systems, and highlight the partnerships we’re building with the private sector.
First, NIST, of the Department of Commerce, convened a workshop with almost 1,000 participants from industry, academia, and government to get input on best practices for building secure software. And then, using that input, NIST issued guidelines for the minimum standards that should be used by vendors to test the security of their software.
This shows how we’re leveraging federal procurement to improve the security of software not only used by the federal government but used by companies, state and local governments, and individuals.
Third, NTIA, also of Commerce, published minimum elements for a Software Bill of Materials — a first and core step to improve transparency of software used by the American public.
And finally, DHS’s CISA established a framework to govern how federal civilian agencies can securely use cloud services.
We continue to work closely with the private sector to address cybersecurity vulnerabilities of critical infrastructure. The administration announced an Industrial Control System Cybersecurity Initiative, as you all know, in April, and launched the Electricity Subsector Action Plan as a pilot.
Using this pilot — under this pilot, we have already seen over 145 of 255 priority electricity entities that the Department of Energy and DHS identified that service over 76 million American customers adopt ICS cybersecurity technologies to date, and the number keeps growing.
We’re going to follow this pilot with efforts — similar pilots for pipelines, water, and chemical because they all face the same threat and they all have similar gaps in cybersecurity technology rollout.
Next, the Transportation Security Administration issued Security Directive 1 to require critical pipeline owners and operators to adhere to cybersecurity standards.
So, recapping: By exposing the PRC’s malicious activity with allies and partners, we’re continuing the administration’s efforts to inform and empower system owners and operators to act at home and around the world.
And we call on private sector companies to follow the federal government’s lead and take ambitious measures to augment and align cybersecurity investments with the goal of minimizing future incidents.
And, with that, again, thanks so much for your time, and I look forward to your questions.
Q Hey, [senior administration official], thanks for dropping all this on a Sunday night. (Laughs.) Can you tell me a lot more about this MSS-affiliated ransomware attack? Is it a ransomware group that we may be familiar with the name? Did they attack an American target? Any other details? When did it happen? Has it been prolific? We’re just so used to it being Russian and Eastern European groups.
SENIOR ADMINISTRATION OFFICIAL: Sure. So, first, Kevin, I appreciated the sardonic nature of your comment. I do have to smile; we’ve worked — you know, the team has been working this, especially with other countries to gain their — to join our attribution for a number of months, and now we drop it on a Sunday evening. So, thank you so much and appreciated the comment. We’ll try to do better in the future.
With regard to the ransomware activity, that is indeed the case. This was surprising to us. And in fact, one of the reasons that we’ve put so much work into this attribution is because it really gave us new insights on the MSS’s work and on the kind of aggressive behavior that we’re seeing coming out of China.
I can’t speak to further details of the ransomware
attack [attacks], but it literally was what we think about with ransomware: a ransom request — a large ransom request made to an American company. And really raised concerns for us with regard to the behavior and, frankly, as I noted, with regard to the fact that, you know, individuals affiliated with the MSS conducted it.
Q Hey there. Have you confronted China with this information? And what was their response? And what type of punishment are you talking about doing here?
SENIOR ADMINISTRATION OFFICIAL: Thank you. So, the U.S. government has raised its concerns about both this incident and China’s broader malicious cyber activity with senior Chinese government officials — you know, making clear that these actions threaten security, confidence, and stability in cyberspace. And in fact, this message is sending an additional strong, united message of accountability to China.
The first important piece is the publicly calling out the pattern of irresponsible malicious cyber activity, and doing it with allies and partners. I noted that this was NATO’s first public attribution to China of this kind of malicious cyber activity. So, we think we’re at that first important stage of bringing awareness and buy-in to this attribution, and focusing us together on our collective security efforts, promoting network defense, and other actions needed to disrupt these threats.
Q Hi, [senior administration official]. Thank you so much for doing this. I wanted to ask you about the attribution of the Microsoft Exchange hack. There was some thought that perhaps that could have come earlier than this evening. And I’m wondering if there’s any sort of explanation as to whether there was a complicating factor that made this a process that took, sort of, longer than other attributions that the administration has made so far. Thank you.
SENIOR ADMINISTRATION OFFICIAL: Thanks, Eric. Good question, and it’s a fair one. Two parts: One is, there was really new attributes in the Microsoft Exchange hack in the breadth of compromises — tens of thousands of systems around the world; in the MSS itself; in the fact that we were also attributing, as I noted, the ransomware and for-profit funds by individuals on the MSS payroll — that, really, we wanted to have, you know, high confidence in that assessment.
Second, we really wanted to combine it with network (inaudible) information — malware signatures, other indicators of compromise. And what’s particularly cool, we will see in tomorrow’s CISA, NSA, and FBI releases is it also includes a JSON file to really allow entities to visualize the compromises as well, to really make it more than just flat text.
And then — I think, most importantly — we worked with allies and partners around the world to share the details of the attribution, because there were victims globally around the world from this activity, and to really gain and invite them to join us on the attribution, on the network defense — collective defense partnership, which we felt was really critical to conveying our criticism and our concerns about the irresponsible malicious cyber activities coming out of China.
Q Thank you. And thanks so much, [senior administration official], for doing this. I’m wondering if you can tell us a little bit more about what this announcement will look like tomorrow. Are we going to see press conferences on the part of these various countries or simply coordinated statements all coming out at the same time?
And then can you tell us how the tactics and goals of these Chinese actors differ from what you see coming out of Russian cyber-hacking attempts?
SENIOR ADMINISTRATION OFFICIAL: Thank you. Really good question. So, in the morning, you’ll see the EU release; you’ll see the NATO release. You will see us release a White House factsheet that describes this further, and then some potential further related releases coming out tomorrow morning.
And then, with regard to your second question about how is it different — really good question. It was one that I think Kevin was inferring a bit earlier. First, showing how the MSS is using criminal contract hackers to conduct unsanctioned cyber operations globally, including for their own personal profit. Now, that’s — that’s very significant. Showing the cyber-enabled extortion, crypto-jacking — again, all for financial gain of PRC-government-affiliated cyber operators — is significant.
On the Russian side, to your point, we sometimes see individuals moonlighting. And we see, you know, some connections between Russian intelligence services and individuals. But this kind of — the MSS use of criminal contract hackers to conduct unsanctioned cyber operations globally is distinct.
Q Hi, thanks again for doing this and setting up the call. Yeah, just a couple clarifying points. So, is the information coming out tomorrow going to specifically blame the Microsoft Exchange Server attack on these MSS-affiliated hackers?
And, in terms of — you said a couple times now these are, sort of, criminal contract hackers. Can you give us — is there any sort of a better sense about the direct knowledge or insight from the Chinese government, from the PRC into what was actually going on here in terms of was this a freelancing operation, was this on the side, versus something that the government was actually aware of and, in some ways, you know, actually did okay.
And then, separately from that, I think a lot of folks have wondered why Russia was hit with such a strong penalty following SolarWinds and some other malign cyber activity. And this appears to be really just a naming and shaming rather than any sort of punitive steps being taken. Can you sort of just explain a little bit further why there seems to be that difference, especially given how reckless it appears this operation was?
SENIOR ADMINISTRATION OFFICIAL: Thanks, Dustin. Appreciate the question. So, first, tomorrow, the U.S. government, along with our allies and partners, will be formally attributing the Microsoft Exchange campaign, which utilized the — the malicious (inaudible) which utilized the zero-day vulnerabilities in Exchange to malicious cyber actors affiliated with the MSS with high confidence. So, yes.
And MSS is using, knowledgeably, criminal contract hackers to conduct unsanctioned cyber operations globally. So, yes, that is very much with the Ministry of State Security’s knowledge.
And then to your point about SolarWinds and the — really the distinction between the U.S. approach on SolarWinds with Russia, and with regard to here: So, we’ve made clear that we’ll continue to take actions to protect the American people from malicious cyber activity, no matter who’s responsible. And we’re not ruling out further actions to hold the PRC accountable.
We’re also aware that no one action can change the PRC’s behavior, and neither can one country acting on its own. So we really focused initially in bringing other countries along with us. And this is really an unprecedented group of allies and partners holding China accountable. I mentioned it’s the first time NATO has condemned PRC cyber activities.
So we’re really — we felt like the core takeaway here is that we’re making it clear to China that for as long as these irresponsible, malicious cyber activities continue, it will unite countries around the world who are all victims to call them out, promote network defense and cybersecurity working together in that way.
And I think the final piece — and I think you’ve heard me say this many times before, Dustin — there’s an “us and them” aspect. And I think it’s very important that we focus sometimes on the “us” — that we ensure cybersecurity and resiliency at home.
We’re putting a huge amount of work into an ambitious whole-of-government, whole-of-nation, and international plan to modernize U.S. cybersecurity defenses. We have the EU, NATO, and the Five Eyes joining us to increase information sharing, increasing cyber threat intelligence — things like the international coalition we’re building on ransomware; and really expanding that diplomatic engagement to strengthen our collective cyber resilience.
So we view that — the gaining the buy-in, the working together on collective defense — as really key to defending ourselves from the PRC’s malicious cyber activity and continuing to hold them accountable.
Q Thank you. And thank you for doing this on a Sunday night. I just wanted to follow up on our conversation from last week. You did not want to really get into REvil and where they had gone. But you did indicate that that it is beneficial to often talk about operations that are carried out. So I was wondering if you could tell us what more you know about why they have disappeared and any possible role by the U.S. or Russia?
SENIOR ADMINISTRATION OFFICIAL: Absolutely. So, Alex, you’re using every opportunity, huh? Okay.
So, first, we are watching — I think, as many of you are — some of what we’re seeing in tracking channels that demonstrate that, you know, at least from looking at the open source information, the REvil’s spokesperson’s account may have been banned from Russian hacking channels. And we continue to see that REvil infrastructure remains down.
We think that’s a very positive thing. This is a group that has brought tremendous negative impact to victims around the world.
We’ve continued to convey to the Russian government that we hold Russia accountable for activities occurring out of — by criminals operating out of Russia. And we continue to look for continued progress — clearly, not only in infrastructure being down, but in the more enduring way, in criminals who do these activities being brought to justice as well.
So it’s probably not a satisfying answer. It’s — as you’ve heard, you know, [senior administration official] and others say multiple times — we’re not going to turn off this activity like the light switch.
We know this will — it didn’t begin in a week or month; it’s been — increased tremendously over the last number of years. And we have our four-part counter-ransomware strategy — which you all know — from resilience, to focusing on cryptocurrencies, to working with countries around the world to build a coalition to hold Russia and other countries accountable, to really focusing on disrupting actor’s infrastructure, and funding payments.
So within that four-part strategy, we view this as a very hopeful progress and steps. And we’re watching closely for continued developments in those areas.
Q Hi, thanks. Yeah, I’m curious if you could say anything about the other aspects of the activity that you’re attributing. You talked about Exchange, you talked about that particular ransomware example that you saw. But anything surprising and in the broader, you know, series of, you know, the mosaic of campaigns that you’re attributing here?
And then, second, did any countries that you shared this information with as part of, you know, rounding up other allies to join the attribution, did any of them decline to join?
SENIOR ADMINISTRATION OFFICIAL: That’s a good question, Eric. So, first, anything surprising — I was actually — I think what we saw really surprising and new here was the use of criminal contract hackers, as I said, to conduct this unsanctioned cyber operation and the — really, the criminal activity for financial gain. That was really eye-opening and surprising for us.
I think the second thing we would say is, you know, the scope and scale of the compromises using the Microsoft Exchange zero-day vulnerability — tens of thousands of computers around the world. That was really of real significance and was very eye-opening to us as well.
And then finally, you asked the second question with regard to countries who turned us down — you know, we’re expecting additional countries in the coming weeks. So, as of yet, you know, we’re really excited about the breadth of this attribution, the first time for NATO, the really global nature — you see the Five Eyes, you see Japan, you see European countries.
So that’s really significant. And I think it highlights just the number of victims of Chinese malicious cyber activity and the degree to which countries increasingly recognize that there’s power in collective defense and that working together will be just far more effective in countering this activity.
SENIOR ADMINISTRATION OFFICIAL: Thank you. Thanks, everyone, again, for joining us today. Just as a reminder, this call is embargoed until tomorrow, 7:00 a.m., Monday, July 19th. It’s attributable to “senior administration officials.”
I’m sorry if you didn’t get to your question. But if you do have further questions, please feel free to reach out to me over email or phone.
Again, thanks for your time and have a good rest of your Sunday.
SENIOR ADMINISTRATION OFFICIAL: I just echo [senior administration official]’s thanks to you all. And have a good rest of the Sunday. And thanks, as always, for just the partnership on informing the broader American people about cyber. We really appreciate it. Good night.
6:27 P.M. EDT