Microsoft Investigates Leak in Early Warning System Used by Chinese Hackers to Exploit SharePoint Vulnerabilities

Chinese laws requiring vulnerability disclosure to the government create transparency issues and potential conflicts for international cybersecurity efforts.

Microsoft is probing whether a leak from its confidential early warning system enabled Chinese state-sponsored hackers to exploit significant flaws in its SharePoint software, leading to breaches at over 400 organizations, including the U.S. agency responsible for nuclear weapons.

Key Takeaways
1. Microsoft is investigating a potential leak from its early warning system that enabled Chinese hackers to exploit SharePoint vulnerabilities.
2. Over 400 organizations, including the U.S. nuclear agency, have been breached in recent cyberattacks linked to Chinese hacker groups.
3. The Active Protections Program (MAPP) has faced previous leaks, raising concerns about its effectiveness and partner security.

The company’s Active Protections Program (MAPP), intended to give cybersecurity experts advance notice of serious vulnerabilities, is at the center of the investigation.

Sources familiar with the incident told Bloomberg that Microsoft suspects a tip-off from partners in the program may have enabled attackers to strike critical systems mere hours before public patches were released.

The ramifications have been severe. Hackers believed to be affiliated with Chinese groups named Linen Typhoon, Violet Typhoon, and Storm-2603 have been singled out for these intrusions.

The National Nuclear Security Administration, numerous global corporations, and government agencies are among the victims.

Microsoft’s spokesperson committed to a full review and pledged to implement improvements, emphasizing that partner alert programs are vital but acknowledging serious concerns over potential leaks.

Pattern of Breaches and Program Risks

• More than 400 government agencies and corporations worldwide have been breached in recent attacks exploiting SharePoint vulnerabilities.
• The suspected attackers are reportedly linked to Chinese state-sponsored groups, including Linen Typhoon, Violet Typhoon, and Storm-2603.
• Microsoft’s Active Protections Program (MAPP) gives cybersecurity vendors advance notification about software vulnerabilities to allow time for defense preparation.
• Alleged leaks in the MAPP program have historical precedent: In 2012, a Chinese company was removed for such an incident; in 2021, suspected leaks led to a massive Exchange server hack.
• Some MAPP partners may be required by Chinese law to report discovered vulnerabilities to national authorities, raising concerns about dual obligations and transparency.
• Microsoft pledges to investigate the current breach and improve partner program security, even as questions persist about the risks of sharing sensitive vulnerability data globally.

MAPP, designed to allow preemptive defense against cyberattacks, gives some vetted security vendors access to vulnerability information up to five days ahead of public disclosure.

While all partners must sign non-disclosure agreements and prove their credentials, this is not the first time suspicions have been raised regarding leaks from the program.

In 2012, Microsoft publicly accused Chinese company Hangzhou DPtech of breaching confidentiality and exposing a critical Windows flaw, resulting in the company’s removal from MAPP.

The most recent suspicions echo a 2021 episode, when Microsoft believed two Chinese MAPP partners had leaked details about Exchange server vulnerabilities.

The leaks preceded a global hacking spree by the group known as Hafnium, comprising one of the worst breaches in Microsoft’s history, affecting tens of thousands of systems worldwide.

Despite these incidents, it remains unclear what, if any, reforms were made to strengthen the MAPP program since then.

Multiple security experts now warn that a documented leak could pose a grave threat to the effectiveness of the initiative.

Underlying these events is a concern about the intersection of Chinese law and international cybersecurity agreements.

A 2021 regulation in China mandates that organizations and researchers report vulnerabilities to the government’s Ministry of Industry and Information Technology within 48 hours of discovery.

Some Chinese companies in MAPP, such as Beijing CyberKunlun Technology, are also members of China’s government-run vulnerability database, which is overseen by its Ministry of State Security.

Security analysts, like Eugenio Benincasa from the Center for Security Studies at ETH Zurich, warn that this dual allegiance creates a “lack of transparency” and potential conflicts.

With several Chinese security firms collaborating directly with state agencies and bound by stringent reporting requirements, experts argue there is an urgent need to scrutinize how global tech companies manage sensitive vulnerability information across jurisdictions.

As Microsoft’s investigation unfolds, the situation highlights complex challenges at the intersection of international business, cybersecurity, and geopolitics—especially as software vulnerabilities become powerful tools in the arsenal of state-sponsored hacking efforts.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!