Microsoft has claimed that China’s offensive cyber capabilities have improved, thanks to a law that allowed Beijing to create an arsenal of unreported software vulnerabilities. China’s 2021 law required organizations to report security breaches to local authorities before disclosing them to another entity. The rules mean Beijing can use local search to gather information about vulnerabilities. A year later, Atlantic Council researchers found a decrease in reported vulnerabilities from China and an increase in anonymous reports.
On February 23, 2022, the world of cyber security entered a new era, the era of hybrid warfare, when Russia launched physical and digital attacks against Ukraine. This year’s Microsoft Digital Defense Report provides new details about these attacks and the rise in cyber aggression from authoritarian leaders around the world.
Over the past year, cyberattacks targeting critical infrastructure have dropped from 20% of all nation-state attacks detected by Microsoft to 40%. This increase was largely due to Russia’s goal of damaging Ukrainian infrastructure and aggressive espionage targeting Ukraine’s allies, including the United States. Russia has also stepped up its efforts to compromise IT companies to disrupt or obtain intelligence from government agencies that are customers of those companies in NATO member states. 90*% of the Russian attacks detected by Microsoft over the past year are targeting NATO member countries, and 48*% of these attacks are targeting IT companies based in NATO countries.
Russia was not alone in linking political and physical aggression to cyber attacks. Microsoft noted that:
- Iranian actors have stepped up their bold attacks following a transition to presidential power. They have launched destructive attacks targeting Israel, as well as ransomware and hacking operations beyond regional adversaries to target US and European victims, including US critical infrastructure targets such as port authorities. In at least one case, Microsoft has detected an attack disguised as a ransomware attack designed to delete Israeli data. In another, an Iranian actor carried out an attack that set off emergency missile sirens in Israel.
- As North Korea entered its most aggressive period of missile testing in the first half of 2022, one of its actors launched a series of attacks to steal technology from aerospace companies and researchers around the world. Another North Korean actor has attempted to gain access to global news media reporting on the country and Christian groups. And yet, a third actor continued his often unsuccessful attempts to break into cryptocurrency companies to steal funds to prop up the country’s struggling economy.
- China has stepped up its cyber espionage and information theft attacks as it seeks to exert greater regional influence in Southeast Asia and counter growing US interest. In February and March, a Chinese actor targeted 100 accounts associated with a prominent intergovernmental organization in Southeast Asia when the organization announced a meeting between the US government and regional leaders. Just after China and Solomon Islands signed a military agreement, Microsoft discovered malware from a Chinese actor on Solomon Islands government systems. China has also used its cyber capabilities in campaigns targeting countries in the Global South, including Namibia, Mauritius and Trinidad and Tobago, among others.
Microsoft’s 2022 Digital Defense Report, released last Friday, claims that Chinese law may allow the Chinese government to weaponize vulnerabilities.
The increased use of zero-days over the past year by China-based actors likely reflects the first full year of China’s vulnerability disclosure requirements for the Chinese security community and an important milestone in the use of zero-day exploits as a state priority, Microsoft said.
The company described China-based and supported malware actors as particularly adept at discovering and developing zero-day exploits.
Microsoft has listed several vulnerabilities that it says were first developed and deployed by Chinese players before being discovered and adopted by other attackers. These attacks include CVE-2021-35211 SolarWinds Serv-U, CVE-2021-40539 Zoho ManageEngine ADSelfService Plus, CVE-2021-44077 Zoho ManageEngine ServiceDesk Plus, CVE-2021-42321 Microsoft Exchange, and CVE-24 Confluence.102 and CVE- 24 Confluence.
According to Microsoft, China has stepped up its cyber espionage and information theft attacks to counter US attempts to increase its influence in Southeast Asia.
Microsoft has detailed several examples of known large-scale campaigns linked to various Chinese state-sponsored threat actors*:
- the targeting of 100 accounts associated with a major Southeast Asian intergovernmental organization by Gallium as the organization announced meetings between the US government and regional leaders*;
- Gadolinium malware on Solomon Islands government systems and Radiumon malicious code in Papua New Guinea’s telecommunications network – both likely for intelligence gathering purposes as the Solomons and China strike a deal with the military*;
- campaigns targeting countries in the South under its Belt and Road Initiative, including Namibia, Mauritius and Trinidad and Tobago, among others, although China sees countries such as Trinidad and Tobago as important partners in the region.
The 114-page report details other tactics, such as China’s participation in foreign propaganda operations alongside Russia and Iran.
Microsoft has credited Russia with increasing the number of cyber attacks targeting critical infrastructure from 20% of all nation-state attacks it detected in 2021 to 40% in 2022, with most attacks due to the fact that Russia is relentlessly targeting Ukraine. Iran has also responded to the deterioration of geopolitical relations by launching campaigns against US port authorities, in addition to attacks on Israel and the European Union. Meanwhile, North Korea continued to steal cryptocurrencies from financial and technology companies while launching attacks on aerospace companies and scientists. The Hermit Kingdom has also attempted to gain access to global news media.
Other report findings
Cybercriminals continue to behave like sophisticated for-profit companies
Cybercrime continues to rise as the industrialization of the cybercrime economy lowers the skill barrier to entry by providing greater access to tools and infrastructure. Within the last year alone, the estimated number of password attacks per second increased by 74*%. Many of these attacks fueled ransomware attacks, resulting in ransom demands more than doubling. However, these attacks were not distributed equally across all regions. In North America and Europe, Microsoft has seen a decrease in the total number of ransomware cases reported to its response teams compared to 2021. At the same time, cases reported in Latin America have increased. Microsoft has also seen a steady year-over-year increase in phishing emails. While Covid-19 themes were less prevalent than in 2020, the war in Ukraine became a new phishing lure starting in early March 2022. Microsoft researchers observed a staggering increase in emails pretending to be legitimate organizations , who solicited cryptocurrency donations in Bitcoin and Ethereum, allegedly to support Ukraine.
Foreign actors use highly effective techniques—often mirror cyberattacks—to enable the influence of propaganda to erode trust and influence public opinion—nationally and internationally.
Influence operations are a new section of Microsoft’s report this year because of its new investments in analytics and data science to combat this threat: We observed how Russia worked hard to convince its citizens and citizens of many other countries that his invasion of Ukraine was justified – while sowing propaganda to discredit Covid-19 vaccines in the West while promoting their effectiveness at home. We have also observed a growing overlap between these operations and cyber attacks.
In particular, influence operations use a well-known three-step approach*:
- Cyber influence operations pre-plant false stories into the public domain, just as attackers pre-plant malware into an organization’s computer network.
- A coordinated campaign is launched – often at the most advantageous time to achieve the actor’s goals – to spread the stories through state-sponsored and influenced media and social networks.
- Nation-state controlled media and proxies amplify narratives within targeted audiences.
Source: Microsoft report
How do you read this situation?
Are you surprised to discover that Chinese law can be used to store and use security vulnerabilities for its own purposes?