The New Zealand government has joined a chorus of public condemnation from the likes of the US, the UK, Australia and other allies accusing the Chinese government of backing malicious cyber activity in regions around the world, including the global Microsoft Exchange Server hack earlier this year.
“New Zealand has established links between Chinese state-sponsored actors known as Advanced Persistent Threat 40 (APT40) and malicious cyber activity in New Zealand,” said Andrew Little, New Zealand Minister responsible for the Government Communications Security Bureau (GCSB) and the New Zealand Security Intelligence Service.
“The GCSB has worked through a robust technical attribution process in relation to this activity. New Zealand is today joining other countries in strongly condemning this malicious activity undertaken by the Chinese Ministry of State Security (MSS) – both in New Zealand and globally,” Little said.
“Separately, the GCSB has also confirmed Chinese state-sponsored actors were responsible for the exploitation of Microsoft Exchange vulnerabilities in New Zealand in early 2021,” he added.
Little noted that New Zealand has joined international condemnation of the exploitation of the Microsoft Exchange platform by Chinese state-sponsored actors, and the widespread and “reckless” sharing of the vulnerability, which he claimed led to other cyber actors’ exploitation of the software.
“We call for an end to this type of malicious activity, which undermines global stability and security, and we urge China to take appropriate action in relation to such activity emanating from its territory,” Little said. “This reinforces the importance of organisations and individuals having strong cyber security measures in place.”
According to Little, the GCSB’s National Cyber Security Centre (NCSC) has provided direct support to New Zealand organisations that have been affected by the malicious cyber activity.
“For both national security and commercial in confidence reasons, these organisations are not identified publicly," Little said.
According to the GCSB, around 30 per cent of serious malicious cyber activity against New Zealand organisations recorded by the NCSC contains indicators that can be linked to various state-sponsored actors.
On March 2, 2021 Microsoft detected multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server.
Microsoft subsequently released security updates for Exchange Server to protect users against vulnerabilities in on-premises versions of the software, with the China-based state-sponsored actor Hafnium flagged as the primary group behind exploits targeting the flaws.
The vulnerabilities — CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 — affect Microsoft Exchange Server 2013, 2016 and 2019, and are part of an attack chain initiated with the ability to make an untrusted connection to Exchange Server port 443.
By 4 March, Microsoft said that its Exchange Server team had released a script for checking Hafnium indicators of compromise (IOCs). The script was published on GitHub.
In a blog post published by the Microsoft Security Response Center on 6 March, the company detailed alternative mitigation techniques for customers that were not able to quickly apply updates and which needed more time to patch their deployments or were willing to make risk and service function trade-offs.