WASHINGTON: The Biden administration will formally say “in coming weeks” who initiated the widespread Microsoft Exchange server hacks that swept the country earlier this year, Deputy National Security Advisor for Cyber and Emerging Tech Anne Neuberger said. China is the leading suspect.

The attribution will be the third in a series of high-profile cyber incidents the administration has had to grapple with since taking office, including SolarWinds and Colonial Pipeline. The administration in April formally attributed SolarWinds, which began and was disclosed last year but the effects of which have spilled over into this year, to the Russian Foreign Intelligence Service (SVR). In May, the FBI said cybercriminal group DarkSide’s ransomware was used in the Colonial Pipeline, although it remains unclear to date whether DarkSide or one of its affiliates conducted the hack.

The attribution is likely to further strain US relations with China, which military and government officials consistently refer to as the US’s “pacing threat.” China is the world’s second largest economy and the US’s second largest trading partner (after the European Union). The US is China’s top trading partner. All of these factors create a much different dynamic than US relations with Russia.

As Breaking Defense readers know, Microsoft in March disclosed the campaign and released out-of-band patches for four zero-day vulnerabilities that were being exploited as part of the wide-ranging cyberespionage campaign. At the time of disclosure, Microsoft attributed the initial campaign with “high confidence” to a previously unknown Chinese group dubbed HAFNIUM. However, soon after disclosure, a range of cyber actors began exploiting the vulnerabilities in unpatched server software, including Chinese, Russian, and criminal threat actors.

Approximately 140,000 US organizations were made vulnerable, Neuberger said during a virtual event hosted by Silverado Policy Accelerator.

The Exchange campaign attribution will also provide hints about the role of the first national cyber director in such incidents. NSA veteran Chris Inglis was confirmed for the position just weeks ago.

The scope and scale of China’s extensive cyberespionage gained greater recognition by the general public while Joe Biden was vice president and continued through the Trump administration. The Chinese conducted multiple high-profile hacks against US targets, including health insurance giant Anthem, financial services company Equifax, and the US government’s Office of Personnel Management. Those three hacks resulted in the loss of Americans’ health, financial, and security clearance data, respectively.

Cyberespionage targeting US intellectual property, to include commercial and industrial information, had led to the “greatest transfer of wealth in history,” then-head of CYBERCOM and NSA Gen. Keith Alexander said in 2012. The Intellectual Property Commission Report, published in May 2013, found that China was stealing $300 billion worth of US IP annually — an amount financially equivalent to all US Asian annual exports at the time of its publication.

Still, as Breaking Defense readers know, the Microsoft Exchange cyberespionage campaign entailed some remarkable events and has left some unanswered questions. Chief among these is how threat actors seemingly knew Microsoft would disclose the campaign in early March and, in response, stepped up hacks in the days before — to include other Chinese groups in addition to HAFNIUM.

The government’s response entailed an unprecedented — at least to public knowledge — action by the FBI, in which the law enforcement organization obtained a court’s permission to proactively breach networks and patch vulnerable Exchange servers of private entities without providing those entities with advanced notice. The legal ramifications could be significant for how the government responds to future cyber incidents.

Now the administration must weigh how to respond to the campaign. Details of what counteractions the administration is considering are sparse at the moment. Here’s what can be safely assumed: Should the president decide the US response merits some cyber element, CYBERCOM would lead such an operation, with assistance from the NSA.

The task could prove trickier than most, considering China’s internet is largely closed off to most of the world. But if anyone can conduct such a campaign, it is the world’s only tier-one cyber power.