{ "id": "500d3367-567c-4d93-a7a5-8d342a5a9602", "created_at": "2026-04-06T00:08:27.971045Z", "updated_at": "2026-04-10T13:12:48.051237Z", "deleted_at": null, "sha1_hash": "3c2d9cdd1a8c049fb9c7f4d9665f57eaf2a23f6d", "title": "UK and allies hold Chinese state responsible for a pervasive pattern of hacking", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 40383, "plain_text": "UK and allies hold Chinese state responsible for a pervasive\r\npattern of hacking\r\nBy Foreign, Commonwealth \u0026 Development Office\r\nPublished: 2021-07-19 · Archived: 2026-04-05 16:01:44 UTC\r\nThe UK is joining likeminded partners to confirm that Chinese state-backed actors were responsible for gaining\r\naccess to computer networks around the world via Microsoft Exchange servers.\r\nThe attacks took place in early 2021, affecting over a quarter of a million servers worldwide.\r\nForeign Secretary Dominic Raab said:\r\nThe cyber attack on Microsoft Exchange Server by Chinese state-backed groups was a reckless but\r\nfamiliar pattern of behaviour.\r\nThe Chinese Government must end this systematic cyber sabotage and can expect to be held account if\r\nit does not.\r\nThe attack was highly likely to enable large-scale espionage, including acquiring personally identifiable\r\ninformation and intellectual property. At the time of the attack, the UK quickly provided advice and recommended\r\nactions to those affected and Microsoft said that by end of March that 92% of customers had patched against the\r\nvulnerability.\r\nToday the UK is also attributing the Chinese Ministry of State Security as being behind activity known by cyber\r\nsecurity experts as “APT40” and “APT31”.\r\nWidespread, credible evidence demonstrates that sustained, irresponsible cyber activity emanating from China\r\ncontinues.\r\nThe Chinese government has ignored repeated calls to end its reckless campaign, instead allowing its state-backed\r\nactors to increase the scale of their attacks and act recklessly when caught.\r\nThis coordinated action today sees the international community once again urge the Chinese government to take\r\nresponsibility for its actions and respect the democratic institutions, personal data and commercial interests of\r\nthose with whom it seeks to partner.\r\nThe UK is calling on China to reaffirm the commitment made to the UK in 2015 and as part of the G20 not to\r\nconduct or support cyber-enabled theft of intellectual property of trade secrets.\r\nBackground\r\nas part of a cross-Government response, the National Cyber Security Centre (NCSC) issued tailored advice\r\nto over 70 affected organisations to enable them successfully to mitigate the effects of the compromise\r\nhttps://www.gov.uk/government/news/uk-and-allies-hold-chinese-state-responsible-for-a-pervasive-pattern-of-hacking\r\nPage 1 of 2\n\nin 2018, the UK government and its allies revealed that elements of the Chinese Ministry of State Security\r\n(MSS) were responsible for one of the most significant and widespread cyber intrusions stealing trade\r\nsecrets\r\nthe European Union has also made an announcement today urging Chinese authorities to take action\r\nagainst malicious cyber activities undertaken from its territory\r\nThe National Cyber Security Centre has assessed that:\r\nActor Activity NCSC assessment\r\nHAFNIUM\r\nCompromising Microsoft\r\nExchange gave the perpetrator a\r\nfoothold to pivot further into the\r\nIT networks of victims.\r\nNCSC is almost certain that the Microsoft\r\nExchange compromise was initiated and\r\nexploited by a Chinese state-backed threat\r\nactor. NCSC judge it highly likely that\r\nHAFNIUM is associated with the Chinese\r\nstate. The attack was highly likely to enable\r\nlarge-scale espionage, including acquiring\r\npersonally identifiable information and\r\nintellectual property.\r\nAPT40,\r\nTEMP.Periscope,\r\nTEMP.Jumper.\r\nLeviathan\r\nTargeting maritime industries and\r\nnaval defence contractors in the\r\nUS and Europe. Targeting regional\r\nopponents of the Belt and Road\r\nInitiative. Targeting multiple\r\nCambodian electoral entities in the\r\nrun up to the 2018 election.\r\nNCSC judge it is highly likely that APT40 is\r\nlinked to the Chinese Ministry of State\r\nSecurity and operates to key Chinese State\r\nIntelligence requirements. NCSC judge that\r\nAPT40 is highly likely sponsored by the\r\nregional MSS security office, the MSS\r\nHainan State Security Department (HSSD).\r\nAPT31, Judgement\r\nPanda, Zirconium,\r\nRed Keres\r\nSince 2020 targeting government\r\nentities, political figures,\r\ncontractors and service providers.\r\nEuropean countries. Targeting\r\nFinnish Parliament in 2020.\r\nNCSC judge it is almost certain that APT31 is\r\naffiliated to the Chinese State and likely that\r\nAPT31 is a group of contractors working\r\ndirectly for the Chinese Ministry of State\r\nSecurity.\r\nSource: https://www.gov.uk/government/news/uk-and-allies-hold-chinese-state-responsible-for-a-pervasive-pattern-of-hacking\r\nhttps://www.gov.uk/government/news/uk-and-allies-hold-chinese-state-responsible-for-a-pervasive-pattern-of-hacking\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.gov.uk/government/news/uk-and-allies-hold-chinese-state-responsible-for-a-pervasive-pattern-of-hacking" ], "report_names": [ "uk-and-allies-hold-chinese-state-responsible-for-a-pervasive-pattern-of-hacking" ], "threat_actors": [ { "id": "7c969685-459b-4c93-a788-74108eab6f47", "created_at": "2023-01-06T13:46:39.189751Z", "updated_at": "2026-04-10T02:00:03.241102Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "Red Dev 13", "Silk Typhoon", "MURKY PANDA", "ATK233", "G0125", "Operation Exchange Marauder" ], "source_name": "MISPGALAXY:HAFNIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea", "created_at": "2023-01-06T13:46:38.745572Z", "updated_at": "2026-04-10T02:00:03.086207Z", "deleted_at": null, "main_name": "APT40", "aliases": [ "ATK29", "Red Ladon", "MUDCARP", "ISLANDDREAMS", "TEMP.Periscope", "KRYPTONITE PANDA", "G0065", "TA423", "ITG09", "Gingham Typhoon", "TEMP.Jumper", "BRONZE MOHAWK", "GADOLINIUM" ], "source_name": "MISPGALAXY:APT40", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aacd5cbc-604b-4b6e-9e58-ef96c5d1a784", "created_at": "2023-01-06T13:46:38.953463Z", "updated_at": "2026-04-10T02:00:03.159523Z", "deleted_at": null, "main_name": "APT31", "aliases": [ "JUDGMENT PANDA", "BRONZE VINEWOOD", "Red keres", "Violet Typhoon", "TA412" ], "source_name": "MISPGALAXY:APT31", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2704d770-43b4-4bc4-8a5a-05df87416848", "created_at": "2022-10-25T15:50:23.306305Z", "updated_at": "2026-04-10T02:00:05.296581Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "HAFNIUM", "Operation Exchange Marauder", "Silk Typhoon" ], "source_name": "MITRE:HAFNIUM", "tools": [ "Tarrask", "ASPXSpy", "Impacket", "PsExec", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "9e6186dd-9334-4aac-9957-98f022cd3871", "created_at": "2022-10-25T15:50:23.357398Z", "updated_at": "2026-04-10T02:00:05.368552Z", "deleted_at": null, "main_name": "ZIRCONIUM", "aliases": [ "APT31", "Violet Typhoon" ], "source_name": "MITRE:ZIRCONIUM", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a", "created_at": "2022-10-25T15:50:23.481057Z", "updated_at": "2026-04-10T02:00:05.306469Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope", "Gingham Typhoon" ], "source_name": "MITRE:Leviathan", "tools": [ "Windows Credential Editor", "BITSAdmin", "HOMEFRY", "Derusbi", "at", "BLACKCOFFEE", "BADFLICK", "gh0st RAT", "PowerSploit", "MURKYTOP", "NanHaiShu", "Orz", "Cobalt Strike", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "74d9dada-0106-414a-8bb9-b0d527db7756", "created_at": "2025-08-07T02:03:24.69718Z", "updated_at": "2026-04-10T02:00:03.733346Z", "deleted_at": null, "main_name": "BRONZE VINEWOOD", "aliases": [ "APT31 ", "BRONZE EXPRESS ", "Judgment Panda ", "Red Keres", "TA412", "VINEWOOD ", "Violet Typhoon ", "ZIRCONIUM " ], "source_name": "Secureworks:BRONZE VINEWOOD", "tools": [ "DropboxAES RAT", "HanaLoader", "Metasploit", "Mimikatz", "Reverse ICMP shell", "Trochilus" ], "source_id": "Secureworks", "reports": null }, { "id": "529c1ae9-4579-4245-86a6-20f4563a695d", "created_at": "2022-10-25T16:07:23.702006Z", "updated_at": "2026-04-10T02:00:04.71708Z", "deleted_at": null, "main_name": "Hafnium", "aliases": [ "G0125", "Murky Panda", "Red Dev 13", "Silk Typhoon" ], "source_name": "ETDA:Hafnium", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "dc7ee503-9494-4fb6-a678-440c68fd31d8", "created_at": "2022-10-25T16:07:23.349177Z", "updated_at": "2026-04-10T02:00:04.552639Z", "deleted_at": null, "main_name": "APT 31", "aliases": [ "APT 31", "Bronze Vinewood", "G0128", "Judgment Panda", "Red Keres", "RedBravo", "TA412", "Violet Typhoon", "Zirconium" ], "source_name": "ETDA:APT 31", "tools": [ "9002 RAT", "Agent.dhwf", "AngryRebel", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "GrewApacha", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "Moudour", "Mydoor", "PCRat", "PlugX", "RedDelta", "Roarur", "Sakula", "Sakula RAT", "Sakurel", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "Xamtrav" ], "source_id": "ETDA", "reports": null }, { "id": "b9806584-4d82-4f32-ae97-18a2583e8d11", "created_at": "2022-10-25T16:07:23.787833Z", "updated_at": "2026-04-10T02:00:04.749709Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "APT 40", "ATK 29", "Bronze Mohawk", "G0065", "Gadolinium", "Gingham Typhoon", "ISLANDDREAMS", "ITG09", "Jumper Taurus", "Kryptonite Panda", "Mudcarp", "Red Ladon", "TA423", "TEMP.Jumper", "TEMP.Periscope" ], "source_name": "ETDA:Leviathan", "tools": [ "AIRBREAK", "Agent.dhwf", "Agentemis", "AngryRebel", "BADFLICK", "BlackCoffee", "CHINACHOPPER", "China Chopper", "Cobalt Strike", "CobaltStrike", "DADJOKE", "Dadstache", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "GRILLMARK", "Gh0st RAT", "Ghost RAT", "HOMEFRY", "Hellsing Backdoor", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LUNCHMONEY", "Living off the Land", "MURKYTOP", "Moudour", "Mydoor", "NanHaiShu", "Orz", "PCRat", "PNGRAT", "PlugX", "RedDelta", "SeDLL", "Sensocode", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "ZoxPNG", "cobeacon", "gresim", "scanbox" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434107, "ts_updated_at": 1775826768, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3c2d9cdd1a8c049fb9c7f4d9665f57eaf2a23f6d.pdf", "text": "https://archive.orkl.eu/3c2d9cdd1a8c049fb9c7f4d9665f57eaf2a23f6d.txt", "img": "https://archive.orkl.eu/3c2d9cdd1a8c049fb9c7f4d9665f57eaf2a23f6d.jpg" } }