The coordinated public attribution campaign by the EU, NATO, Five Eyes and Japan on 19 July 2021 has been portrayed as a largely coherent effort of like-minded countries confronting China’s malicious cyber activities. As this Working Paper will show, this was the case neither in substance nor in form. For instance, while the Five Eyes are the most coherent group when it comes to public attribution, confronting Beijing on the MS Exchange campaign, and highlighting APT40 activity, they failed to achieve consensus on denouncing Beijing’s use of ‘criminal contract hackers to conduct unsanctioned cyber operations globally, including for their own personal profit’. Similarly, given the absence of high-volume and high-profile APT40 activity in Europe, it should come as no surprise that the majority of NATO and EU member states were relatively muted on the issue. Meanwhile, the Japanese government –for the first time ever– put forward its own public attribution assessment on APT40. Based on the public information available as of the time of writing, this Working Paper aims to disentangle and explain what occurred on 19 July. To the author’s knowledge this is the first ever case study to take a deep look into a coordinate attribution campaign. It brings together an in-depth analysis of the various government statements and a database that tracked the social media behaviour of numerous government ministries on 19 July 2021.1


On 19 July 2021 the EU’s High Representative for Foreign Affairs and Security Policy (HR), Josep Borrell, published a Declaration on behalf of the EU urging the ‘Chinese authorities to take action against malicious cyber activities undertaken from its territory’.2 The HR’s Declaration kicked off a host of other government statements and tweets on that day, encompassing a wide range of different attribution assessments, intelligence assertions, strategic objectives and diplomatic support. Coordinated to a degree by Washington, the flurry of statements by the EU, NATO, Five Eyes and Japan on Chinese cyber activities was perceived by numerous media outlets as one coherent narrative with a few subtle discrepancies. The goal of this Working Paper is to break that narrative apart by contextualising government motivations and disentangling the political intricacies that were on display that day.

Stefan Soesanto
Senior Cyber Defence Researcher at the Center for Security Studies (CSS) at ETH Zurich 
| @iiyonite

1 See the database here.

2 Council of the EU (2021), ‘China: Declaration by the High Representative on behalf of the European Union urging Chinese authorities to take action against malicious cyber activities undertaken from its territory’,, 19/VII/2021.

Glasses on top of a laptop. Photo: Kevin Ku @ikukevk