China Says US Exploited Old Microsoft Flaw For Cyberattacks

China accused the US of exploiting a flaw in Microsoft Corp.’s email servers to steal military data and launch cyberattacks on its defense sector.

The Cyber Security Association of China said in a statement Friday that US actors had been linked to two major cyberattacks on Chinese military companies, without naming them. They exploited flaws in Microsoft Exchange to control the servers of a key company in the defense sector for nearly a year, it added. The association is a little-known entity backed by the powerful Cyberspace Administration of China.

Redmond, Washington-based Microsoft has repeatedly blamed China for major cyberattacks involving the same software. In 2021, an alleged Chinese operation compromised tens of thousands of Microsoft Exchange servers. In 2023, another alleged Chinese attack on Microsoft Exchange . compromised senior US officials' email accounts. A US government review later accused Microsoft of a “cascade of security failures” over the 2023 incident. And last month, Microsoft said Chinese state-backed hacking groups had exploited vulnerabilities in its SharePoint file-sharing software.

“Every nation-state in the world carries out offensive cybersecurity campaigns against others,” said Jon Clay, vice president of threat intelligence at Trend Micro. “I’m assuming at this point, because of the recent SharePoint vulnerability that Microsoft attributed to China, they are coming out and saying, hey, the US has been targeting us with exploits.”

A spokesperson for the US Embassy in Beijing did not comment on the specific allegations but said in an emailed response Saturday that China is the most “active and persistent cyber threat to US government, private-sector and critical infrastructure networks.”

“Given the significant size and scope of China’s malicious cyber activity, the US government is working with allies and others to counter the threats posed by Salt Typhoon, Volt Typhoon, and other CCP-sponsored malicious cyber actors,” the statement from the embassy added, referring to the Chinese Communist Party. 

Ben Read, director of strategic threat intelligence for Wiz.io, in a recent blog noted that “public attribution of cyber activities” was a technique China was using increasingly to pressure Taiwan and shape “the international dialogue around cybersecurity.” Earlier this year, China had several releases alleging cyberattacks out of Taiwan, a self-governing island that Beijing deems part of its territory.

In April, China accused three NSA employees of hacking the Asian Winter Games held in Harbin, saying they targeted systems that held vast amounts of personal information on people involved in the event. While the US has repeatedly published names of alleged Chinese hackers and filed criminal charges against them, China has historically refrained from making similar accusations about American spies.