Skip links

China is likely stockpiling and deploying vulnerabilities, says Microsoft

Microsoft has asserted that China’s offensive cyber capabilities have improved, thanks to a law that has allowed Beijing to create an arsenal of unreported software vulnerabilities.

China’s 2021 law required organizations to report security vulnerabilities to local authorities before disclosing them to any other entity. The rules mean Beijing can use local research to hoard vulnerability information.

A year later, researchers from the Atlantic Council found there was a decrease in reported vulnerabilities coming from China – and an increase in anonymous reports.

Microsoft’s 2022 Digital Defense Report, released last Friday, asserts the Chinese law “might” be enabling the Chinese government to weaponize the vulnerabilities.

“The increased use of zero days over the last year from China-based actors likely reflects the first full year of China’s vulnerability disclosure requirements for the Chinese security community and a major step in the use of zero-day exploits as a state priority,” said [PDF] Microsoft.

The company described China-based and -backed threat actors as “particularly proficient” when it comes to discovering and developing zero-day exploits.

Microsoft listed several vulnerabilities it said were first developed and deployed by Chinese actors before they were discovered and adopted by other attackers. Those attacks include CVE-2021-35211 SolarWinds Serv-U, CVE-2021-40539 Zoho ManageEngine ADSelfService Plus, CVE-2021-44077 Zoho ManageEngine ServiceDesk Plus, CVE-2021-42321 Microsoft Exchange, and CVE-2022-26134 Confluence.

According to Microsoft, China stepped up its espionage and information-stealing cyber attacks in order to counter the USA’s attempts to increase its influence in Southeast Asia.

Microsoft detailed multiple examples of major known campaigns linked to various Chinese state-sponsored threat actors:

  • the targeting of 100 accounts affiliated with a prominent Southeast Asia intergovernmental organization by Gallium as the org announced meetings between the US government and regional leaders;
  • Malware from Gadolinium on Solomon Islands government systems and malicious code from Radiumon in Papua New Guinea’s telecommunications networks – both likely for intelligence collection purposes as Solomon Islands and China entered a military agreement;
  • Campaigns targeting nations across the global South in line with its Belt and Road Initiative, including Namibia, Mauritius, and Trinidad and Tobago, among others, even as China considers countries like Trinidad and Tobago important partners in the region.

The 114-page report detailed other tactics – such as China’s participation in foreign propaganda operations, alongside Russia and Iran.

Microsoft credited Russia with increasing the number of cyber attacks targeting critical infrastructure from 20 percent of all nation-state attacks it detected in 2021 to 40 percent in 2022, with most attacks due to Russia relentlessly targeting Ukraine.

Iran also reacted to deteriorating geo-political relationships by launching campaigns against US port authorities, in addition to swipes at Israel and the EU.

Meanwhile North Korea continued to steal cryptocurrency from financial and tech companies while launching attacks on aerospace companies and researchers. The hermit kingdom also attempted to gain access to global news organizations. ®