{
	"id": "86b5d6b6-1bc1-4c19-829f-1d4e42b7971e",
	"created_at": "2026-04-06T00:17:27.735761Z",
	"updated_at": "2026-04-10T13:12:03.096159Z",
	"deleted_at": null,
	"sha1_hash": "b0fd4b057e0870f90989522b08c3b5fab6611055",
	"title": "White House formally blames China’s Ministry of State Security for Microsoft Exchange Hack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 957304,
	"plain_text": "White House formally blames China’s Ministry of State Security\r\nfor Microsoft Exchange Hack\r\nBy Martin Matishak\r\nPublished: 2022-12-12 · Archived: 2026-04-05 19:22:06 UTC\r\nThe U.S. and a coalition of allies on Monday formally attributed the sweeping campaign against Microsoft\r\nExchange email servers to hackers affiliated with China’s Ministry of State Security.\r\nThe group assessed with “high confidence” that Beijing-linked digital operators carried out the attack that\r\nensnared hundreds of thousands of systems worldwide, a senior Biden administration official told reporters on\r\nSunday. \r\nIn addition, the partners alleged the ministry — which oversees the civilian arm of Beijing’s intelligence gathering\r\noperations — has utilized contract hackers to conduct other malicious cyber activities around the globe, including\r\na ransomware attack on an American company, and other pursuits to line the pockets of MSS officials.\r\nThe use of such hired muscle “was really eye-opening and surprising for us,” said the official, who was only\r\nauthorized to speak anonymously.\r\nThe coalition includes the U.S., the so-called “Five Eye” nations, Japan, the European Union and NATO.\r\nMonday’s announcement marks the first time the transatlantic alliance has condemned Chinese digital activities,\r\nthe official said.\r\nThe massive Exchange hack was first disclosed in March — at the same time the Biden administration was\r\ndealing with the SolarWinds breach that has since been formally attributed to Russia’s foreign intelligence\r\nservice. \r\nAt the time Microsoft announced that it had uncovered new vulnerabilities in its Exchange Server program, which\r\nruns businesses’ email systems, adding the tech giant had assessed with “high confidence” that a hacking group\r\nknown as HAFNIUM, a Chinese state-sponsored group, was exploiting the vulnerabilities. \r\nThe White House signaled late last month that it was getting closer to pinning the attack on a specific culprit.\r\nThe administration official said naming the offender took so long, in part, because of “new attributes” like the\r\nsheer breadth of the global campaign, which impacted tens of thousands organizations across the U.S. alone. \r\nThe White House also wanted to combine the exposure with “network defensive information,” such as malware\r\nsignatures and other indications of compromise, the official said. The FBI, NSA and CISA issued a joint release\r\nthat documented over 50 tactics and techniques the Chinese state-sponsored hackers use when targeting U.S. and\r\nallied networks and ways to mitigate them.\r\nhttps://therecord.media/white-house-formally-blames-chinas-ministry-of-state-security-for-microsoft-exchange-hack/\r\nPage 1 of 3\n\nIn addition, the U.S. wanted to include its partners and allies in the attribution process and present a unified front\r\nin the face of Beijing’s efforts, “which we felt was really critical to conveying our criticism and our concerns\r\nabout the irresponsible malicious activities coming out of China,” according to the official, who added such\r\nconcerns had been raised the country’s Communist government.\r\nMonday’s announcement was markedly different from the one that accompanied the attribution for the SolarWinds\r\nintrusion, which saw Moscow officially blamed and sanctioned in the operation that compromised multiple\r\ngovernment agencies and private sector companies.\r\nThe official said the administration had made clear that it would take action to protect the country “no matter\r\nwho's responsible, and we're not ruling out further actions to hold the [People's Republic of China] accountable.”\r\n“We're also aware that no one action can change the PRC behavior, and neither can one country acting on them,”\r\nthe official added. “We felt like the core takeaway here is that we're making it clear to China that, for as long as\r\nthese irresponsible malicious cyber activities continue, it will unite countries around the world” to call out the\r\nnation’s behavior and promote joint efforts on cybersecurity and network defense.\r\nThe administration official declined to offer additional details about the ransomware incident.\r\n“It literally was what we think about with ransomware … a large ransom request made to an American company,\r\nand it really raised concerns for us with regard to the behavior and frankly,  … with regard to the fact that\r\nindividuals affiliated with the MSS conducted it.”\r\nCoalition officials pinned the attacks on groups tracked as APT31 and APT40 by cybersecurity experts, according\r\nto a press release from the UK National Cyber Security Centre. Supporting statements were also issued by NATO,\r\nthe UK government, the European Union Council, Australia, Japan, Canada, Latvia, Lithuania, Estonia, Slovenia,\r\nFinland, and Denmark.\r\nMoments after the White House announcement, the DOJ also levied formal charges against four Chinese nationals\r\nfor their role in the APT40 hacking group.\r\nArticle updated post publication with links to other formal announcements and the DOJ's APT40 charges.\r\nAdditional reporting by Catalin Cimpanu.\r\nNo previous article\r\nNo new articles\r\nhttps://therecord.media/white-house-formally-blames-chinas-ministry-of-state-security-for-microsoft-exchange-hack/\r\nPage 2 of 3\n\nMartin Matishak\r\nis the senior cybersecurity reporter for The Record. Prior to joining Recorded Future News in 2021, he spent more\r\nthan five years at Politico, where he covered digital and national security developments across Capitol Hill, the\r\nPentagon and the U.S. intelligence community. He previously was a reporter at The Hill, National Journal Group\r\nand Inside Washington Publishers.\r\nSource: https://therecord.media/white-house-formally-blames-chinas-ministry-of-state-security-for-microsoft-exchange-hack/\r\nhttps://therecord.media/white-house-formally-blames-chinas-ministry-of-state-security-for-microsoft-exchange-hack/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://therecord.media/white-house-formally-blames-chinas-ministry-of-state-security-for-microsoft-exchange-hack/"
	],
	"report_names": [
		"white-house-formally-blames-chinas-ministry-of-state-security-for-microsoft-exchange-hack"
	],
	"threat_actors": [
		{
			"id": "7c969685-459b-4c93-a788-74108eab6f47",
			"created_at": "2023-01-06T13:46:39.189751Z",
			"updated_at": "2026-04-10T02:00:03.241102Z",
			"deleted_at": null,
			"main_name": "HAFNIUM",
			"aliases": [
				"Red Dev 13",
				"Silk Typhoon",
				"MURKY PANDA",
				"ATK233",
				"G0125",
				"Operation Exchange Marauder"
			],
			"source_name": "MISPGALAXY:HAFNIUM",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea",
			"created_at": "2023-01-06T13:46:38.745572Z",
			"updated_at": "2026-04-10T02:00:03.086207Z",
			"deleted_at": null,
			"main_name": "APT40",
			"aliases": [
				"ATK29",
				"Red Ladon",
				"MUDCARP",
				"ISLANDDREAMS",
				"TEMP.Periscope",
				"KRYPTONITE PANDA",
				"G0065",
				"TA423",
				"ITG09",
				"Gingham Typhoon",
				"TEMP.Jumper",
				"BRONZE MOHAWK",
				"GADOLINIUM"
			],
			"source_name": "MISPGALAXY:APT40",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "aacd5cbc-604b-4b6e-9e58-ef96c5d1a784",
			"created_at": "2023-01-06T13:46:38.953463Z",
			"updated_at": "2026-04-10T02:00:03.159523Z",
			"deleted_at": null,
			"main_name": "APT31",
			"aliases": [
				"JUDGMENT PANDA",
				"BRONZE VINEWOOD",
				"Red keres",
				"Violet Typhoon",
				"TA412"
			],
			"source_name": "MISPGALAXY:APT31",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2704d770-43b4-4bc4-8a5a-05df87416848",
			"created_at": "2022-10-25T15:50:23.306305Z",
			"updated_at": "2026-04-10T02:00:05.296581Z",
			"deleted_at": null,
			"main_name": "HAFNIUM",
			"aliases": [
				"HAFNIUM",
				"Operation Exchange Marauder",
				"Silk Typhoon"
			],
			"source_name": "MITRE:HAFNIUM",
			"tools": [
				"Tarrask",
				"ASPXSpy",
				"Impacket",
				"PsExec",
				"China Chopper"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "9e6186dd-9334-4aac-9957-98f022cd3871",
			"created_at": "2022-10-25T15:50:23.357398Z",
			"updated_at": "2026-04-10T02:00:05.368552Z",
			"deleted_at": null,
			"main_name": "ZIRCONIUM",
			"aliases": [
				"APT31",
				"Violet Typhoon"
			],
			"source_name": "MITRE:ZIRCONIUM",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "83025f5e-302e-46b0-baf6-650a4d313dfc",
			"created_at": "2024-05-01T02:03:07.971863Z",
			"updated_at": "2026-04-10T02:00:03.743131Z",
			"deleted_at": null,
			"main_name": "BRONZE MOHAWK",
			"aliases": [
				"APT40 ",
				"GADOLINIUM ",
				"Gingham Typhoon ",
				"Kryptonite Panda ",
				"Leviathan ",
				"Nanhaishu ",
				"Pickleworm ",
				"Red Ladon ",
				"TA423 ",
				"Temp.Jumper ",
				"Temp.Periscope "
			],
			"source_name": "Secureworks:BRONZE MOHAWK",
			"tools": [
				"AIRBREAK",
				"BlackCoffee",
				"China Chopper",
				"Cobalt Strike",
				"DadJoke",
				"Donut",
				"FUSIONBLAZE",
				"GreenCrash",
				"Meterpreter",
				"Nanhaishu",
				"Orz",
				"SeDll"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a",
			"created_at": "2022-10-25T15:50:23.481057Z",
			"updated_at": "2026-04-10T02:00:05.306469Z",
			"deleted_at": null,
			"main_name": "Leviathan",
			"aliases": [
				"MUDCARP",
				"Kryptonite Panda",
				"Gadolinium",
				"BRONZE MOHAWK",
				"TEMP.Jumper",
				"APT40",
				"TEMP.Periscope",
				"Gingham Typhoon"
			],
			"source_name": "MITRE:Leviathan",
			"tools": [
				"Windows Credential Editor",
				"BITSAdmin",
				"HOMEFRY",
				"Derusbi",
				"at",
				"BLACKCOFFEE",
				"BADFLICK",
				"gh0st RAT",
				"PowerSploit",
				"MURKYTOP",
				"NanHaiShu",
				"Orz",
				"Cobalt Strike",
				"China Chopper"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "74d9dada-0106-414a-8bb9-b0d527db7756",
			"created_at": "2025-08-07T02:03:24.69718Z",
			"updated_at": "2026-04-10T02:00:03.733346Z",
			"deleted_at": null,
			"main_name": "BRONZE VINEWOOD",
			"aliases": [
				"APT31 ",
				"BRONZE EXPRESS ",
				"Judgment Panda ",
				"Red Keres",
				"TA412",
				"VINEWOOD ",
				"Violet Typhoon ",
				"ZIRCONIUM "
			],
			"source_name": "Secureworks:BRONZE VINEWOOD",
			"tools": [
				"DropboxAES RAT",
				"HanaLoader",
				"Metasploit",
				"Mimikatz",
				"Reverse ICMP shell",
				"Trochilus"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "529c1ae9-4579-4245-86a6-20f4563a695d",
			"created_at": "2022-10-25T16:07:23.702006Z",
			"updated_at": "2026-04-10T02:00:04.71708Z",
			"deleted_at": null,
			"main_name": "Hafnium",
			"aliases": [
				"G0125",
				"Murky Panda",
				"Red Dev 13",
				"Silk Typhoon"
			],
			"source_name": "ETDA:Hafnium",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434647,
	"ts_updated_at": 1775826723,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b0fd4b057e0870f90989522b08c3b5fab6611055.pdf",
		"text": "https://archive.orkl.eu/b0fd4b057e0870f90989522b08c3b5fab6611055.txt",
		"img": "https://archive.orkl.eu/b0fd4b057e0870f90989522b08c3b5fab6611055.jpg"
	}
}