China: Declaration by the High Representative on behalf of the European Union urging Chinese authorities to take action against malicious cyber activities undertaken from its territory
Today, the EU and its member states, together with partners, expose malicious cyber activities that significantly affected our economy, security, democracy and society at large. The EU and its member states assess these malicious cyber activities to have been undertaken from the territory of China.
The compromise and exploitation of the Microsoft Exchange server undermined the security and integrity of thousands of computers and networks worldwide, including in the member states and EU institutions. It allowed access to a significant number of hackers that have continued to exploit the compromise to date. This irresponsible and harmful behaviour resulted in security risks and significant economic loss for our government institutions and private companies, and has shown significant spill-over and systemic effects for our security, economy and society at large.
We have also detected malicious cyber activities with significant effects that targeted government institutions and political organisations in the EU and member states, as well as key European industries. These activities can be linked to the hacker groups known as Advanced Persistent Threat 40 and Advanced Persistent Threat 31 and have been conducted from the territory of China for the purpose of intellectual property theft and espionage.
The EU and its member states strongly denounce these malicious cyber activities, which are undertaken in contradiction with the norms of responsible state behaviour as endorsed by all UN member states. We continue to urge the Chinese authorities to adhere to these norms and not allow its territory to be used for malicious cyber activities, and take all appropriate measures and reasonably available and feasible steps to detect, investigate and address the situation.
The EU and its member states reaffirm their strong commitment to responsible state behaviour to ensure a global, open, free, stable and secure cyberspace. To this end, we will continue to work on the establishment of a Programme of Action under UN auspices to advance and effectively support states to adhere to responsible state behaviour in cyberspace.
We reiterate our determination to continue to counter malicious behaviour in cyberspace. We will continue to enhance our cooperation, including with international partners and other public and private stakeholders, through increased exchange of information and continued diplomatic engagement, by strengthening cyber resilience and incident handling cooperation, as well as through joint efforts to improve the overall security of software and their supply chains.
The Candidate Countries the Republic of North Macedonia, Montenegro and Albania[1] and the EFTA country Norway, member of the European Economic Area, align themselves with this declaration.
[1] The Republic of North Macedonia, Montenegro and Albania continue to be part of the Stabilisation and Association Process.