Microsoft has curtailed Chinese companies’ access to advance notifications about cybersecurity vulnerabilities in its technology after investigating whether a leak led to a series of hacks exploiting flaws in its SharePoint software.
The change, which occurred last month, will limit access for program participants in “countries where they’re required to report vulnerabilities to their governments,” which would include China, according to David Cuddy, a Microsoft spokesperson. The goal of the Microsoft Active Protections Program, or MAPP, is to provide security software companies around the world with early details about flaws in Microsoft products so they can provide updated protections for their customers faster.
The announcement from Microsoft follows a campaign of cyberattacks that Microsoft blamed on state-sponsored hackers in China who targeted security weaknesses in SharePoint servers. More than 400 government agencies and corporations were breached in the SharePoint attacks, including the U.S.’s National Nuclear Security Administration, responsible for designing and maintaining the country’s nuclear weapons.
It’s unclear how alleged Chinese hackers discovered the vulnerabilities in SharePoint. Following the attacks, however, Microsoft investigated whether details about the flaws may have leaked from its MAPP partners, Bloomberg News previously reported.
Now, Microsoft will no longer provide MAPP participants affected by the change with “proof of concept” code demonstrating flaws. Instead, it will issue them “a more general written description” of the vulnerabilities, which it would send at the same time as patches to fix the weaknesses are released, the company spokesperson said.
“We’re aware of the potential for this to be abused, which is why we take steps — both known and confidential — to prevent misuse,” Cuddy said. “We continuously review participants and suspend or remove them if we find they violated their contract with us, which includes a prohibition on participating in offensive attacks.”
Cuddy didn’t comment on the findings of Microsoft’s investigation into a potential leak related to the SharePoint hacks but said there were “multiple working theories on the cause.”
A spokesperson for the Chinese Embassy in Washington, D.C., said in a statement they were not familiar with the details of Microsoft’s changes or suspected leaks from the MAPP program. But they added that cybersecurity was a “common challenge” faced by all countries and should be addressed jointly through dialogue and cooperation.
The MAPP group includes at least a dozen Chinese technology and cybersecurity companies, according to Microsoft. Those members would previously receive information about patches to security vulnerabilities at least 24 hours before Microsoft released them to the public.
Concerns about Chinese participants are due in part to a 2021 law mandating that any company or security researcher who identifies a cybersecurity vulnerability must report it within 48 hours to China’s Ministry of Industry and Information Technology. In addition, MAPP has been the source of alleged leaks as far back as 2012, when Microsoft accused Hangzhou DPtech Technologies, a Chinese network security company, of breaching a nondisclosure agreement, disclosing information that exposed a major vulnerability in Windows.
More recently, in 2021, Microsoft suspected at least two other Chinese MAPP partners of leaking information about vulnerabilities in its Exchange servers, leading to a global hacking campaign that Microsoft blamed on a Chinese espionage group called Hafnium.
Dakota Cary, a China-focused consultant at the U.S. cybersecurity company SentinelOne, said Microsoft’s decision to curtail Chinese companies’ access to information on cybersecurity vulnerabilities, was a “fantastic change.”
“It is very clear the Chinese companies in MAPP have to respond to incentives from the government,” Cary said. “So it makes sense to limit the information provided.”
Eugenio Benincasa, a researcher who specializes in analyzing Chinese cyberattacks at ETH Zurich’s Center for Security Studies, said there had been suspicions about leaks out of the MAPP program for years but said “unprecedented attention on China’s cyber operations right now” meant Microsoft likely felt pressure to take action.
Microsoft also confirmed for the first time that it had shut down “transparency centers” it had previously set up in China, where the government could review the source code of the company’s technology to confirm it was free of hidden “backdoors” that can be used for digital surveillance. Cuddy said such facilities in China had “long been retired” and that “no one has visited one in China since 2019.”
The tech giant had permitted access to its source code in China since at least 2003, when the company announced it was “the first commercial software company that provides the Chinese government with access to its source code” and had done so to provide authorities with confidence in the security of the Windows platform.
Microsoft’s recent disclosures came in response to questions from Bloomberg News concerning allegations in a new report that Chinese organizations tied to cyberespionage were working at the same sprawling campus in Wuhan with members of the MAPP program.
The organizations were operating out of the National Cybersecurity Center, which specializes in defensive and offensive hacking technologies and houses a division of China’s Ministry of State Security, according to a report prepared by the Tech Integrity Project, a U.S. advocacy group.
Cuddy, the Microsoft spokesperson, said that Microsoft had never engaged with the cybersecurity center in Wuhan.
The spokesperson for the Chinese Embassy in Washington, D.C., said in a statement they were not familiar with the specific details of the report, but added that China “opposes and fights hacking activities in accordance with the law.”
“At the same time, we oppose smears and attacks against China under the excuse of cybersecurity issues,” the spokesperson said.