On Wednesday (August 20th), Microsoft, the American technology company, confirmed that it has restricted early access to its network security vulnerability notifications for Chinese companies. Previously, Microsoft had been investigating whether Chinese hackers had gained advance knowledge of SharePoint software vulnerabilities through its alert system.
According to Bloomberg, Microsoft spokesperson David Cuddy stated in a release that Microsoft made an adjustment in July to restrict companies from “countries that require reporting vulnerabilities to the government” from accessing its internal early notifications, which includes China.
It is reported that over a dozen Chinese companies participated in Microsoft’s Active Protections Program (MAPP), which provides advance disclosure of newly discovered vulnerability information to network security vendors 24 hours or more in advance.
On July 7th, after Microsoft issued MAPP information and a day before publicly disclosing the patch, Chinese hackers launched an attack on SharePoint. Over 400 government agencies and businesses were breached in the SharePoint attack, including the National Nuclear Security Administration (NSP) responsible for designing and maintaining U.S. nuclear weapons.
Microsoft has confirmed the involvement of two Chinese government-backed hacker groups, Linen Typhoon and Violet Typhoon, in this attack. Microsoft also noted another Chinese threat actor identified as Storm-2603.
It is currently unclear how the Chinese hackers discovered the SharePoint vulnerability.
With the recent adjustment, Microsoft will no longer provide MAPP participants affected by this change with “proof-of-concept” code demonstrating vulnerabilities. The company spokesperson stated that instead, they will provide the participants with a “more generic written description” of the vulnerabilities, along with sending out patch fixes upon release.
“We acknowledge that this information could be misused, so we have taken known and confidential measures to prevent abuse,” Cuddy said. “We will continue to review participants in MAPP, and if we find they violate the contracts we have signed, including prohibitions against engaging in attacking behaviors, we will suspend or remove their membership.”
Dakota Cary, a consultant for the U.S. cybersecurity company SentinelOne, told Bloomberg that Microsoft’s decision to restrict Chinese companies from accessing network security vulnerability information is a “significant change.”
“It is clear that Chinese companies in MAPP must respond to incentives from the (Chinese) government,” he said. “Therefore, the restriction of information provided by Microsoft is reasonable.”
Back in 2012, Microsoft accused a member of MAPP, the Chinese cybersecurity company Hangzhou DPTech Co., Ltd., of leaking a critical Windows vulnerability information. The company was subsequently removed from MAPP.
In 2021, Microsoft suspected at least two other Chinese MAPP partners of leaking information about their Exchange server vulnerability. This vulnerability triggered a global hacker attack, and Microsoft believed it was linked to a Chinese spy organization called Hafnium.
Previously reported by Bloomberg, after the 2021 incident, Microsoft had considered modifying the MAPP program but did not disclose whether they ultimately made any changes or found any vulnerabilities.
According to a report by the U.S. think tank Atlantic Council, a Chinese law enacted in 2021 requires security researchers or companies to report vulnerabilities to the government within 48 hours of discovery.
The Chinese government website indicates that some Chinese companies still part of the MAPP program, such as Beijing Cyber Cloud Technology Co., Ltd., are also members of the Chinese National Vulnerability Database project. This could lead to the sharing of vulnerability information with the Chinese government, increasing the risk of abuse.
Microsoft also confirmed for the first time that it has closed the “Transparency Center” it previously established in China. The center allowed the Chinese government to review the source code of the company’s technology to ensure it did not contain hidden “backdoors” for digital surveillance.
Cuddy stated that these types of facilities have “long been decommissioned” in China, and “since 2019, no one has accessed any such facilities in China.”
Since 2003, Microsoft has allowed the Chinese government access to its source code, claiming to be the “first commercial software company to provide source code access rights to the Chinese (Chinese Communist) government” to assure the security of the Windows system.
Microsoft’s recent disclosure was in response to a new report from Bloomberg, which found that Chinese organizations associated with network espionage activities with the Chinese government were working in the same park in Wuhan as MAPP project members.