The Morrison government has joined with the United States, the United Kingdom and other countries to accuse China of “malicious cyber activities”, in a move likely to inflame tensions in the relationship with Beijing.
Senior Australian ministers said they held serious concerns about the activities and called on all countries – including China – to act responsibly in cyberspace.
“In consultation with our partners, the Australian government has determined that China’s ministry of state security exploited vulnerabilities in the Microsoft Exchange software to affect thousands of computers and networks worldwide, including in Australia,” the ministers said in a statement issued late on Monday Australian time.
“These actions have undermined international stability and security by opening the door to a range of other actors, including cybercriminals, who continue to exploit this vulnerability for illicit gain.”
In March, Microsoft released a patch to Exchange after discovering that hackers were stealing email communications from internet-facing systems running its business software.
The Australian government’s cybersecurity agency previously urged any organisations using Microsoft Exchange to urgently “patch” their systems but until now the government has not publicly attributed blame to China.
Monday’s statement was issued by the home affairs minister, Karen Andrews, together with the foreign affairs minister, Marise Payne, and the defence minister, Peter Dutton.
“The Australian government is also seriously concerned about reports from our international partners that China’s ministry of state security is engaging contract hackers who have carried out cyber-enabled intellectual property theft for personal gain and to provide commercial advantage to the Chinese government,” the Australian ministers said.
The Biden administration coordinated the statements pointing the finger at China. An administration official described it as “an unprecedented group of allies and partners”, including the US, the European Union, the United Kingdom, Australia, Canada, New Zealand, Japan and Nato.
The governments “will formally attribute the malicious cyber campaign utilising the zero-day vulnerabilities in the Microsoft Exchange Server disclosed in March” to malicious cyber actors affiliated with the Chinese ministry of state security “with high confidence”, a senior Biden administration official said in a background briefing.
The UK foreign secretary, Dominic Raab, said the cyber-attack amounted to “a reckless but familiar pattern of behaviour”, adding that China “can expect to be held to account” if it failed to “end this systematic cyber-sabotage”.
Andrews, Payne and Dutton called on China to “adhere to the commitments it has made in the G20, and bilaterally, to refrain from cyber-enabled theft of intellectual property, trade secrets and confidential business information with the intent of obtaining competitive advantage”.
Comment was sought from China’s embassy in Canberra on Monday night. Chinese officials have previously said China was “a staunch defender of cybersecurity and one of the biggest victims of hacking”.
Amid ongoing tensions with Beijing, the Australian ministers appeared to argue on Monday that they were not singling out China. They said that since 2017, Australia had publicly attributed malicious cyber activity to North Korea, Russia, China and Iran.
“Most recently, Australia joined more than 30 international partners to hold Russia to account for its harmful cyber campaign against SolarWinds,” the Australian ministers wrote.
“Australia calls out these malicious activities to highlight the significant risk they can pose to Australia’s national security or to international stability, which in turn can undermine business confidence and inclusive economic growth.”
The ministers said Australia’s “cybersecurity posture” was strong but there was “no room for complacency” because the online threat environment was “constantly evolving”.
The statement, although issued in concert with allies and partners, indicates the Australian government remains prepared to publicly criticise Beijing despite the relationship with Australia’s top trading partner already dropping to the lowest point in years.
Dutton said in April the risk of conflict over Taiwan could not be “discounted”. Around the same time, the secretary of the home affairs department, Michael Pezzullo, said “free nations” were again hearing “the beating drums” towards conflict and needed to brace “for the curse of war”.
Dutton, the former home affairs minister, has previously defended his commentary about security threats posed by China, saying it was “more important than ever that we have a frank and nuanced discussion with the Australian people about the threats we face”.