WASHINGTON — The Biden administration on Monday is expected to formally accuse the Chinese government of breaching Microsoft email systems used by many of the world’s largest companies, governments and military contractors, according to a senior administration official. The United States is also set to organize a broad group of allies, including all NATO members, to condemn Beijing for cyberattacks around the world.
The official, who spoke on the condition of anonymity, added that the United States was expected to accuse China for the first time of paying criminal groups to conduct large-scale hackings, including ransomware attacks to extort companies for millions of dollars. Microsoft had pointed to hackers linked to the Chinese Ministry of State Security for exploiting holes in the company’s email systems in March; the U.S. announcement will offer details about the methods that were used, and it is the first suggestion that the Chinese government hired criminal groups to work on its behalf.
Condemnation from NATO and the European Union is unusual, because most of their member countries have been deeply reluctant to publicly criticize China, a major trading partner. But even Germany, whose companies were hit hard by the hacking of Microsoft Exchange — email systems that companies maintain on their own, rather than putting them in the cloud — cited the Chinese government for its work.
Despite the broadside, the announcement will lack concrete punitive steps against the Chinese government such as sanctions similar to ones that the White House imposed on Russia in April, when it blamed the country for the extensive SolarWinds attack that affected U.S. government agencies and more than 100 companies.
By imposing sanctions on Russia and organizing allies to condemn China, the Biden administration has delved deeper into a digital Cold War with its two main geopolitical adversaries than at any time in modern history.
While there is nothing new about digital espionage from Russia and China — and efforts by Washington to block it — the Biden administration has been surprisingly aggressive in calling out both countries and organizing a coordinated response.
But so far, it has not yet found the right mix of defensive and offensive actions to create effective deterrence, most outside experts say. And the Russians and the Chinese have grown bolder. The SolarWinds attack, one of the most sophisticated ever detected in the United States, was an effort by Russia’s lead intelligence service to alter code in widely used network-management software to gain access to more than 18,000 businesses, federal agencies and think tanks.
China’s effort was not as sophisticated, but it took advantage of a vulnerability that Microsoft had not discovered and used it to conduct espionage and undercut confidence in the security of systems that companies use for their primary communications. It took the Biden administration months to develop what officials say is “high confidence” that the hacking of the Microsoft email system was done at the behest of the Ministry of State Security, the senior administration official said, and abetted by private actors who had been hired by Chinese intelligence.
The hacking affected tens of thousands of systems, including military contractors.
The last time China was caught in such broad-scale surveillance was in 2014, when it stole more than 22 million security-clearance files from the Office of Personnel Management, allowing a deep understanding of the lives of Americans who are cleared to keep the nation’s secrets.
President Biden has promised to fortify the government, making cybersecurity a focus of his summit meeting in Geneva with President Vladimir V. Putin of Russia last month. But his administration has faced questions about how it will also address the growing threat from China, particularly after the public exposure of the Microsoft hacking.
Speaking to reporters on Sunday, the senior administration official acknowledged that the public condemnation of China would only do so much to prevent future attacks.
“No one action can change China’s behavior in cyberspace,” the official said. “And neither could just one country acting on its own.”
But the decision not to impose sanctions on China was also telling: It was a step many allies would not agree to take.
Instead, the Biden administration settled on corralling enough allies to join the public denunciation of China to maximize pressure on Beijing to curtail the cyberattacks, the official said.
The joint statement criticizing China, to be issued by the United States, Australia, Britain Canada, the European Union, Japan and New Zealand, is unusually broad. It is also the first such statement from NATO publicly targeting Beijing for cybercrimes.
The National Security Agency and the F.B.I. are expected to reveal more details on Monday about Chinese “tactics, techniques and procedures” in cyberspace, such as how Beijing contracts criminal groups to conduct attacks for the financial gain of its government, the official said.
The F.B.I. took an unusual step in the Microsoft hacking: In addition to investigating the attacks, the agency obtained a court order that allowed it to go into unpatched corporate systems and remove elements of code left by the Chinese hackers that could allow follow-up attacks. It was the first time that the F.B.I. acted to remediate an attack as well as investigate its perpetrators.
