Today's D Brief: China’s MSFT hack; Bagram ‘ghost town’; China’s space program; Gamer leaks secret tank details; And a bit more.

The United States and its allies say China was behind a disruptive and wide-ranging hack of Microsoft’s email system discovered back in March. The affected Microsoft Exchange Server had been in use across more than 30,000 organizations inside the U.S. alone, including defense contractors, cities, and local governments. The attack gave hackers access to email accounts and let them install malware, Microsoft said when it first learned of the breach—which even then it attributed with “high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China.” Cybersecurity reporter Brian Krebs reported at the time that the hackers “seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total, remote control over affected systems.”

But this new confrontation with China is about more than just the Microsoft hack. U.S. officials said they’re targeting a “pattern of malicious cyber activities” they view as “irresponsible,” “destabilizing,” and “a major threat to the U.S. and allies’ economic and national security.” Those activities allegedly include “cyber-enabled extortion, crypto-jacking, and theft from victims around the world for financial gain,” officials told reporters Sunday. 

There are at least two new and notable elements to Monday’s cyber messaging from the White House: 

  1. The U.S. is now openly accusing China of using “criminal contract hackers” for at least some of its cyber activity, including the Microsoft hack. “We sometimes see individuals moonlighting,” a U.S. official said Sunday. “And we see some connections between Russian intelligence services and individuals. But the [Chinese Ministry of State Security] use of criminal contract hackers to conduct unsanctioned cyber operations globally is distinct.” 
  2. The U.S. says it’s leading “an unprecedented group of allies and partners” in naming and shaming China over its “Ministry of State Security’s malicious cyber activities,” as the White House announced in a statement Monday. That group includes the EU; “Five Eyes” allies Australia, Canada, New Zealand, the United Kingdom; Japan; and NATO. (Also worth noting: “This is the first time NATO has condemned [People’s Republic of China] cyber activities,” White House officials said Sunday.) 

NATO: “We stand in solidarity with all those who have been affected by recent malicious cyber activities including the Microsoft Exchange Server compromise,” the alliance’s political decision-making body, the North Atlantic Council, said in a statement on Monday. “We call on all States, including China, to uphold their international commitments and obligations and to act responsibly in the international system, including in cyberspace.”

By the way: The EU wasn’t as confrontational as the U.S. in terms of blaming China’s leaders. However, the bloc did say in its statement that it “assess[es] these malicious cyber activities to have been undertaken from the territory of China … in contradiction with the norms of responsible state behaviour as endorsed by all UN member states. We continue to urge the Chinese authorities to adhere to these norms and not allow its territory to be used for malicious cyber activities, and take all appropriate measures and reasonably available and feasible steps to detect, investigate and address the situation.”

But the united front from the U.S. and its allies is also notable for what’s not included, at least not yet anyway: “The announcement will lack concrete punitive steps against the Chinese government such as sanctions similar to ones that the White House imposed on Russia in April,” the New York Times reported Sunday.  

Big-picture take: The U.S. has created an “impressive coalition to denounce China,”said Dmitri Alperovitch, head of the Silverado policy think tank. But “the next step has to have penalties,” he added. 

Speaking of sanctions: The White House is considering new sanctions on Iran’s oil industry over sales of crude oil to China. “The new steps would take place if nuclear talks fail,” the Wall Street Journal reports. 

From Defense One

Biden Goes After China’s Cyber Attackers // Patrick Tucker: U.S. and allies blame China’s government, announce new measures to fight a massive cyber criminal ring akin to Russia’s, but threaten no sanctions yet.

Republicans Try New Bill to Repay National Guard for Post-Riot Protection, Minus a Rapid Response Force // Tara Copp: No House GOPers voted for a May bill that would have reimbursed the Guard more than a half billion dollars.

China’s Space Program Is More Military Than You Might Think  // Peter W. Singer and Taylor A. Lee: Proposals for U.S.-Chinese cooperation must proceed carefully.

What the Afghanistan Withdrawal Means for Georgia’s NATO Dreams // Luke Coffey and Robert E. Hamilton: The Caucasian nation is losing one of its best ways to demonstrate that it belongs in the Western alliance.

Defense Business Brief // Marcus Weisgerber: Defense Business Brief: Getting new tech to troops faster; F-35 mission capable rates rise; Huge bonuses for vaxxed employees; and more.

How the Intelligence Community Can Get Better at Open Source Intel // Bob Ashley and Neil Wiley: Several factors make it harder to use publicly available information in all-source assessment than classified information.

Welcome to this Monday edition of The D Brief from Ben Watson with Jennifer Hlad. If you’re not already subscribed to The D Brief, you can do that here

Afghanistan’s Bagram air base is now a “ghost town,” Stars and Stripes reports Monday after a recent visit there. “Many of the cavernous, empty structures the U.S. vacated were left open, but one in particular remained locked during a recent visit: a squat wooden lodge near the base’s airport terminal, once known as the USO Pat Tillman center. It’s where Rebecca Medeiros, former USO country director in Afghanistan, spent the last year cataloguing mementos.” Read on here.

The White House just transferred his first detainee out of Guantánamo Bay, the New York Times reports.
Moving on: Abdul Latif Nasser, a 56-year-old man from Morocco. He was allegedly a former Taliban fighter; but he was never charged with a crime, the Times reports. “With Mr. Nasser’s departure, there are now 39 prisoners at Guantánamo, 11 of whom have been charged with war crimes.”

And lastly today: A videogamer allegedly leaked classified tank specs to win an argument, Defence Journal reported last week. The user, who identified himself as a commander of the Challenger tanks used by the British Army, complained that the tank was inaccurately depicted in the online multiplayer game War Thunder—and posted excerpts of a classified maintenance manual to prove it.
Officials with the game’s companyfounded in Moscow, based in Cyprus—said UK officials had informed them that the documents were indeed sensitive. The Guardian has more, here.