The Honourable Marc Garneau, Minister of Foreign Affairs, the Honourable Harjit S. Sajjan, Minister of National Defence, and the Honourable Bill Blair, Minister of Public Safety and Emergency Preparedness, issued the following statement:
"Today, Canada joins its allies in identifying People's Republic of China's (PRC) state-backed actors for the unprecedented and indiscriminate exploitation of Microsoft exchange servers.
"In early March 2021, Microsoft disclosed vulnerabilities in its exchange servers that were exploited by state actors. This activity put several thousand Canadian entities at risk-a risk that persists in some cases even when patches from Microsoft have been applied. Globally, an estimated 400,000 servers have been affected.
"Canada is confident that the PRC's Ministry of State Security (MSS) is responsible for the widespread compromising of the exchange servers.
"Canada believes it is highly likely that this cyber activity was intended to gain access to networks worldwide for the theft of intellectual property and to acquire vast quantities of personally identifiable information.
"Several cyber groups from the PRC are believed to have taken part in this operation, including Advanced Persistent Threat Group 40 (APT 40). These actors are highly sophisticated and have demonstrated an ability to achieve sustained, covert access to Canadian and allied networks beyond the compromising of Microsoft exchange servers.
"APT 40 almost certainly consists of elements of the Hainan State Security Department's regional MSS office. This group's cyber activities targeted critical research in Canada's defence, ocean technologies and biopharmaceutical sectors in separate malicious cyber campaigns in 2017 and 2018.
"Canada and its allies remain steadfast in their unity and solidarity in calling out irresponsible state-sponsored cyber activity. Canada will continue to release public attributions to make clear to perpetrators that it will expose malicious cyber activity conducted against Canada and its allies. Canada will continue to work in concert with partners on this crucial security issue.
"Canada remains committed to working with partners to support the open, reliable and secure use of cyberspace and calls on China to act responsibly and cease this pattern of irresponsible and harmful cyberspace behaviour. These kinds of reckless actions cannot be accepted and tolerated by responsible state-actors.
"To further protect Canadians, the Canadian Centre for Cyber Security has put out guidance on mitigating the ongoing threat posed by Microsoft exchange server vulnerabilities."
Additional information
Additional information regarding threat group from the PRC:
- Threat Group: APT 40
- Public Names: Also publicly reported as Kryptonite Panda, TEMP.Periscope, TEMP.Jumper, Bronze Mohawk, Leviathan, Mudcarp
- Organizations: The PRC's MSS and the Hainan State Security Department
- Targets: Regularly targets South Pacific governments (including Australia and New Zealand) and maritime and defence technologies
