Microsoft has claimed that China’s offensive cyber capabilities have improved, thanks to a law that allowed Beijing to create an arsenal of unreported software vulnerabilities. China’s 2021 law required organizations to report security breaches to local authorities before disclosing them to any other entity. The rules mean that Beijing can use local search to accumulate information about vulnerabilities. A year later, researchers from the Atlantic Council found a decrease in reported vulnerabilities from China and an increase in anonymous reports.
On February 23, 2022, the world of cybersecurity entered a new era, the era of hybrid warfare, as Russia launched physical and digital attacks against Ukraine. This year’s Microsoft Digital Defense Report provides new details about these attacks and the increase in cyber aggression from authoritarian leaders around the world.
Over the past year, cyberattacks targeting critical infrastructure have fallen from 20% of all nation-state attacks detected by Microsoft to 40%. This spike was due, in large part, to Russia’s aim to damage Ukrainian infrastructure and aggressive espionage targeting Ukraine’s allies, including the United States. Russia has also accelerated its attempts to compromise IT companies in order to disrupt or obtain intelligence from government agencies that are clients of these companies in NATO member countries. 90*% of Russian attacks that Microsoft has detected over the past year have targeted NATO member states, and 48*% of those attacks have targeted IT companies based in NATO countries.
Russia was not alone in associating political and physical aggression with cyberattacks. Microsoft noted that:
- Iranian actors have stepped up their bold attacks following a transition of presidential power. They have launched destructive attacks targeting Israel, as well as ransomware and hacking operations beyond regional adversaries to target US and European victims, including US critical infrastructure targets like port authorities. In at least one case, Microsoft has detected an attack disguised as a ransomware attack intended to erase Israeli data. In another, an Iranian actor carried out an attack that triggered emergency rocket sirens in Israel.
- As North Korea entered its most aggressive period of missile testing in the first half of 2022, one of its actors launched a series of attacks to steal technology from aerospace companies and researchers around the world. Another North Korean actor has tried to gain access to global news outlets that report on the country and Christian groups. And yet, a third actor continued his often unsuccessful attempts to break into cryptocurrency businesses to steal funds to prop up the country’s struggling economy.
- China has stepped up its cyber espionage and information theft attacks as it tries to exert greater regional influence in Southeast Asia and counter growing US interest. In February and March, a Chinese actor targeted 100 accounts affiliated with a prominent intergovernmental organization in Southeast Asia, as the organization announced a meeting between the US government and regional leaders. Just after China and the Solomon Islands signed a military agreement, Microsoft detected malware from a Chinese actor on Solomon Islands government systems. China has also used its cyber capabilities in campaigns targeting countries in the global South, including Namibia, Mauritius, and Trinidad and Tobago, among others.
Microsoft’s 2022 Digital Defense Report, released last Friday, claims Chinese law could allow the Chinese government to weaponize vulnerabilities.
The increased use of zero-days over the past year by China-based actors likely reflects the first full year of China’s vulnerability disclosure requirements for the Chinese security community and a major milestone in the use zero-day exploits as a state priority, Microsoft said.
The company described China-based and backed malware actors as particularly adept at discovering and developing zero-day exploits.
Microsoft has listed several vulnerabilities that it says were first developed and deployed by Chinese players before being discovered and adopted by other attackers. These attacks include CVE-2021-35211 SolarWinds Serv-U, CVE-2021-40539 Zoho ManageEngine ADSelfService Plus, CVE-2021-44077 Zoho ManageEngine ServiceDesk Plus, CVE-2021-42321 Microsoft Exchange, and CVE-2022-26134 Confluence.
According to Microsoft, China has stepped up its cyber espionage and information theft attacks to counter US attempts to increase its influence in Southeast Asia.
Microsoft has detailed several examples of known major campaigns linked to various Chinese state-sponsored threat actors*:
- the targeting of 100 accounts affiliated with a major Southeast Asian intergovernmental organization by Gallium as the organization announced meetings between the US government and regional leaders*;
- Gadolinium malware on Solomon Islands government systems and Radiumon malicious code in Papua New Guinea telecommunications networks – both likely for intelligence gathering purposes as Solomons and China strike deal military*;
- campaigns targeting countries in the South under its Belt and Road Initiative, including Namibia, Mauritius and Trinidad and Tobago, among others, even as China sees countries like Trinidad and Tobago as important partners in the region.
The 114-page report details other tactics, such as China’s participation in foreign propaganda operations alongside Russia and Iran.
Microsoft has credited Russia with increasing the number of cyberattacks targeting critical infrastructure from 20% of all nation-state attacks it detected in 2021 to 40% in 2022, with most attacks being due to the fact that the Russia relentlessly targets Ukraine. Iran has also reacted to the deterioration in geopolitical relations by launching campaigns against US port authorities, in addition to attacks on Israel and the EU. Meanwhile, North Korea continued to steal cryptocurrency from financial and technology companies while launching attacks on aerospace companies and researchers. The hermit kingdom has also attempted to gain access to global news outlets.
Other Report Findings
Cybercriminals continue to act like sophisticated for-profit companies
Cybercrime continues to rise as the industrialization of the cybercrime economy lowers the skills barrier to entry by providing greater access to tools and infrastructure. In the past year alone, the estimated number of password attacks per second has increased by 74*%. Many of these attacks fueled ransomware attacks, resulting in ransom demands that more than doubled. However, these attacks were not distributed evenly across all regions. In North America and Europe, Microsoft has seen a decrease in the total number of ransomware cases reported to its response teams compared to 2021. At the same time, cases reported in Latin America have increased. Microsoft has also seen a steady year-over-year increase in phishing emails. While Covid-19 themes were less prevalent than in 2020, the war in Ukraine became a new phishing lure from early March 2022. Microsoft researchers observed a staggering increase in emails posing as for legitimate organizations soliciting cryptocurrency donations in Bitcoin and Ethereum, allegedly to support Ukraine.
Foreign actors use highly effective techniques – often mirroring cyberattacks – to enable the influence of propaganda to erode trust and impact public opinion – domestically and internationally.
Influence operations are a new section of Microsoft’s report this year due to its new investments in analytics and data science to combat this threat: We observed how Russia worked hard to convince its citizens, and citizens of many other countries, that his invasion of Ukraine was justified – while sowing propaganda to discredit Covid-19 vaccines in the West while promoting their effectiveness at home. We have also observed a growing overlap between these operations and cyberattacks.
In particular, influence operations use a familiar three-step approach*:
- Cyber influence operations pre-position false stories in the public domain, much like attackers pre-position malware in an organization’s computer network.
- A coordinated campaign is launched – often at the most advantageous time to achieve the actor’s goals – to spread the stories through government-supported and influenced media and social networks.
- Nation-state-controlled media and proxies amplify narratives within targeted audiences.
Source: Microsoft report
How do you read this situation?
Are you surprised to discover that Chinese law could be used to store and use security vulnerabilities for its own purposes?