Microsoft Severs Chinese Access to Cybersecurity Vulnerability Information

It wasn’t the first time, but Microsoft would love to make it the last. After dozens of government agencies and corporations running SharePoint were recently compromised, the software goliath is cutting off Chinese access to information about vulnerabilities in the company’s products. On August 20, Microsoft announced that it would limit Chinese companies’ access to its security research partner program known as the Microsoft Active Protections Program (MAPP). The company’s decision comes as China has routinely used security vulnerabilities in Microsoft products to target federal agencies. It appears to confirm that Beijing is sending MAPP information (which points out potential software weaknesses before most users are notified) to Chinese cyber operators for exploitation.

Beijing Exploits Cybersecurity Information for Its Hacking Campaigns

As part of MAPP, Microsoft alerts a select group of security vendors about newly discovered flaws in its products. The purpose of the program is to provide these partners with early information about potential problems so that partners can protect their clients, be on the lookout for hackers attempting to exploit the flaws, and help Microsoft develop mitigations and patches. Moving forward, however, Microsoft will no longer provide Chinese partners with technical information about flaws that hackers are not yet exploiting.

The decision follows the company’s determination that Chinese threat actors are responsible for having compromised Microsoft SharePoint servers starting on July 7. Three times between June 24 and July 7, Microsoft shared information to MAPP participants, including Chinese companies, about the exact vulnerability that Chinese operatives used to hack at least half a  dozen U.S. government agencies.

This is not the first time that Microsoft has suspected Chinese participants of taking advantage of the MAPP process. In 2012, Microsoft suspended a Chinese MAPP participant for violating the MAPP non-disclosure agreement. More concerningly, Microsoft reportedly suspected that another Chinese group used the MAPP process to gather information on the vulnerabilities in Microsoft Exchange that hackers then used to compromise tens of thousands of organizations in 2021.

Chinese Companies Are Integral to Beijing’s Malign Cyber Activity

After this latest Chinese hack, a Microsoft spokesperson told Bloomberg that the company is blocking companies in “countries where they’re required to report vulnerabilities to their governments” from accessing technical information about vulnerabilities in its products. Under its 2017 National Intelligence Law, China requires all companies to “support, assist, and cooperate with national intelligence efforts.” Beijing also requires researchers and software companies to provide a first look to the Ministry of Industry and Information Technology when they discover any cybersecurity vulnerability. Many Chinese companies also reportedly voluntarily provide vulnerabilities to the China National Vulnerability Database (CNNVD), a Ministry of State Security-run group, in exchange for financial benefits.

Many of these Chinese cybersecurity firms also have dedicated “cyber militia” units in which their employees serve directly under the Chinese military to conduct operations against the United States and U.S. allies. These companies have also been at the forefront of China’s attempts to use faux technical reports to blame the U.S. government for hacking its own critical infrastructure, attempting to conceal the truth that Beijing is responsible for attacks on U.S. energy, transportation, and communications infrastructure.

Other Companies Should Follow Microsoft’s Lead

Microsoft’s decision shows the risks U.S. companies face when transparency in cybersecurity is exploited by authoritarian regimes. Responsible vulnerability disclosure is crucial to the ability of private companies to protect themselves against hackers, but preventing those disclosures from being exploited by coercive legal systems is both legitimate and expected. Other U.S. technology companies should follow Microsoft’s lead and block Chinese companies from participating in similar good-faith cybersecurity communities. Meanwhile, the U.S. government should use law enforcement, financial, and strategic communications tools to identify and punish Chinese companies facilitating Beijing’s cyber and information campaigns.

China is attempting to weaponize norms around cybersecurity transparency. The U.S. government and private American companies can make Beijing pay the price for its behavior.

Ari Ben Am is an adjunct fellow at FDD’s Center on Cyber and Technology Innovation (CCTI), focusing on emerging threats, influence and information operations, cyber operations, and hybrid warfare. Mariam Lomtadze is an intern at CCTI. For more analysis from the authors and FDD, please subscribe HERE. Follow FDD on X @FDD, @FDD_CCTI, and @FDD_Iran. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.