On Monday, the Biden administration, along with a broad coalition of allies, formally accused hackers with ties to Chinese intelligence services of hacking into Microsoft's
"The United States and countries around the world are holding the People's Republic of China accountable for its pattern of irresponsible, disruptive, and destabilizing behavior in cyberspace," U.S. Secretary of State Antony J Blinken told reporters Monday. China's Ministry of State Security, he added, "has fostered an ecosystem of criminal contract hackers who carry out both state-sponsored activities and cybercrime for their own financial gain."
The U.K., Canada, Japan, New Zealand, NATO, the European Union, and others also joined in attributing the Microsoft Exchange Server hack to actors with ties to China's leadership. However, the U.S. and its allies stopped short of formally sanctioning China for its alleged role in these and other activities.
Additionally, on Monday, the U.S. Justice Department also unsealed an indictment against three Chinese officials charged with using front companies to siphon data from U.S. government agencies, universities, and corporations from 2011 to 2018, data which included research on the Ebola virus.
By joining in the U.S.-led condemnation, both the E.U., NATO, and their member states, broke with their usual policy of strategic silence concerning one of their most integral trade partners.
"We call on all states, including China, to uphold their international commitments and obligations to act responsibly in the international system, including cyberspace," said the Treaty Organization.
However, Joesph Borrell Fontelles, the E.U.'s foreign policy chief, didn't go so far as to link the attacks to the Chinese government, at least not directly. Instead, he urged Chinese authorities not to allow their "territory to be used" for malicious cyber attacks.
"The U.S. has repeatedly made groundless attacks and malicious smear against China on cybersecurity," Liu Pengyu, spokesperson for the Chinese Embassy in Washington, told the Wall Street Journal on late Monday. "This another old trick, with nothing new in it."
Meanwhile, China's Embassy in New Zealand released a statement on Tuesday calling the allegations "totally groundless and irresponsible."
"The Chinese government is a staunch defender of cybersecurity and firmly opposes and fights all forms of cyber attacks and crimes in accordance with law," read the statement. "Given the virtual nature of cyberspace, one must have clear evidence when investigating and identifying cyber-related incidents. Making accusations without proof is malicious smear."
In March, Microsoft attributed the breach of its email servers to Hafnium, a cyber-intelligence ring with supposed ties to the Chinese government. China's foreign ministry dismissed Microsoft's initial assessment. Since March, however, the U.S. has developed a high degree of confidence that actors with state ties were responsible for the wide-reaching attack.
"No one action can change China's behavior in cyberspace," a top White House official told reporters on Sunday, "And neither could just one country acting on its own."
The same official stressed that the administration sought to maximize diplomatic pressure on Beijing by corralling as many allies as possible. This approach likely meant that direct sanctions weren't on the table ahead of the announcement.
"We've made it clear that we'll continue to take actions to protect the American people from malicious cyber activity, no matter who's responsible," the official continued. "And we're not ruling out further actions to hold the PRC accountable."