The West's Tepid China Deterrence Is Not Working

 West's Tepid China Deterrence Is Not Working

The exploitation of Microsoft SharePoint vulnerabilities by Chinese hackers is a near-exact rerun of the 2021 Microsoft Exchange server mass compromise event.

The 2021 incident elicited a strong international diplomatic response, but this SharePoint saga makes it clear these efforts failed to deter China from embarking on a similarly damaging campaign again, four years later. A different, bigger-picture approach is needed.

In both cases:

• Serious vulnerabilities that could be used for remote compromise are discovered in on-premise Microsoft products (Exchange in 2021, SharePoint in 2025).
• The vulnerabilities are disclosed to Microsoft and patches prepared.
• Some vulnerability details are shared with trusted security vendors in the Microsoft Active Protections Program (MAPP) ahead of patches being publicly released.
• Exploitation of these vulnerabilities begins in the days prior to patches being released, leading Microsoft to investigate whether information had leaked from MAPP (SharePoint,Exchange).
• China-based actors systematically take advantage of the vulnerabilities. Exploitation is narrowly targeted for espionage initially but quickly becomes indiscriminate and for criminal purposes, including for the deployment of ransomware.
• Most vulnerable servers are compromised, such that hundreds of thousands of Exchange servers and likely tens of thousands of SharePoint servers are impacted.

Microsoft attributed the 2021 Exchange hacks to a Chinese state-sponsored group it now calls Silk Typhoon (at the time it was known as Hafnium).

Fast-forward a few years, and three China-based actors are exploiting this month's SharePoint hacks, according to Microsoft. Two of them, Linen Typhoon and Violet Typhoon, are state-backed groups that typically steal intellectual property and engage in espionage. The third, Storm-2603, has been stealing SharePoint MachineKeys, which would allow access to servers even after they've been patched. It has also been deploying ransomware, although Microsoft says it "is currently unable to confidently assess the threat actor's objectives."

The striking similarity between the 2021 Exchange and 2025 SharePoint incidents underlines the fact that the current toolkit of public diplomatic pressure and indictments, coupled with occasional arrests, has simply not worked.

In the wake of the 2021 Exchange free-for-all, the U.S., the European Union, NATO, and other allies publicly called out the hacks and the "PRC's pattern of malicious cyber activity." This was the largest international condemnation of Chinese hacking, but the coordinated finger-wagging was not associated with any sanctions or concrete punishments at the time.

Earlier this month, the Department of Justice announced the arrest in Italy of a Chinese hacker allegedly involved in the 2021 Exchange hacks. Arrests are good, but they occur so infrequently it is unlikely they will have any real deterrent effect on Chinese hackers.

The Trump administration has indicated that it is keen to take the gloves off in cyberspace. Speaking at the RSA conference earlier this year, Alexei Bulazel, senior director for cyber and special assistant to the president, said per CyberScoop:

"I think deterrence in cybersecurity is actually very hard," he said. "I think there's a lot we could do to increase costs on these actors," adding that a response should show adversaries that "if you come do this to us, we'll strike back and we'll punch back, and administrations before us have been hesitant to do that."

We support more robust disruptive cyber operations, but we don't think that punching back in retaliation should be a priority.

The SharePoint hackers have grabbed an opportunity for an intelligence win, here. That hurts, but there is a bigger picture to consider. In cyberspace, the U.S. and China are involved in an ongoing intelligence contest and are even preparing for real-world conflict.

Offensive cyber operations should be prioritized based on whether they will help the U.S. win in cyberspace, not based on which group of hackers scored the last intelligence coup.

And it's hard to see what retaliatory operations against the groups involved would achieve. Wipe their computers? Dox the operators? Collect intelligence for indictments? All of these would be irritants rather than deterrents as there is no ongoing operation to disrupt.

There are already examples of U.S. actions focused on these strategic threats, including the takedown of a botnet used by Volt Typhoon, the group preparing to disrupt critical infrastructure. More of these, please.

Clorox vs. Cognizant Lawsuit: The Transcripts Are Hilarious

Bleach maker Clorox launched a lawsuit last week against Cognizant, the information technology (IT) company whose contracted services included password recovery assistance for Clorox staff. This serves as a reminder that outsourcing something as simple as help desk support may reduce costs but can come with loss of control and increased risk that ends up biting organizations in the rear.

Clorox alleges hackers were able to breach its network simply by asking the service desk staff for passwords.

Per Clorox's lawsuit:

Cognizant was not duped by any elaborate ploy or sophisticated hacking techniques. The cybercriminal just called the Cognizant Service Desk, asked for credentials to access Clorox's network, and Cognizant handed the credentials right over. Cognizant is on tape handing over the keys to Clorox’s corporate network to the cybercriminal—no authentication questions asked.

Three separate service desk interactions from the Clorox lawsuit.

The Clorox lawsuit alleges that Cognizant's help desk staff reset passwords and multi-factor authentication (MFA) for the hackers without verifying their identities. Clorox claims that service desk personnel did not follow the "very specific and comprehensive procedures for credential support requests" that it had instructed Cognizant to implement.

At first glance, these allegations are shocking. However, they haven't been tested in court and there could be mitigating factors. For example, ransomware incident response firm Coveware has found that, in several incidents where social engineering was used against outsourced IT providers, the incentives for the support team to resolve issues quickly actually "abetted the social engineering."

Clorox's lawsuit also alleges that Cognizant didn't provide on-tap expertise to respond to the developing cybersecurity incident. It claims that reinstalling a security tool removed by the attackers took too long, and personnel assigned to assist in recovery didn't have the deep understanding of Clorox's systems that would be expected after managing them for 10 years.

Cognizant's response to several media outlets is:

It is shocking that a corporation the size of Clorox had such an inept internal cybersecurity system to mitigate this attack. Clorox has tried to blame us for these failures, but the reality is that Clorox hired Cognizant for a narrow scope of help desk services which Cognizant reasonably performed. Cognizant did not manage cybersecurity for Clorox.

When Clorox outsourced some help desk services to Cognizant 10 years ago, it likely didn't realize that it was losing control over how it could respond in a cybersecurity crisis.

To paraphrase the project management triangle, you have three options: convenient, cheap, and secure. Pick two. Opt for quick and painless IT help desk support, and you may get Scattered Spidered.

The Clorox breach was linked to Scattered Spider, who are often described as masters of sophisticated and persistent social engineering. To counter these types of threats, Coveware and Google's Mandiant recommend positive identity verification when credentials or MFA are reset. These include calling requestors back on a phone number from an internal directory as well as on-camera or in-person verification with government ID.

These sound eminently sensible but also inconvenient. It is not clear from the lawsuit if these measures were included in Clorox's credential reset policies. As a side note, we are not sure how long taking selfies while holding photo ID will remain a robust control given the proliferation of deepfake services tailored for criminals.

Microsoft's Chinese Support Agents Were Accessing U.S. Defense Department Systems

In another story that speaks to the perils of outsourcing, we learned earlier this month that Microsoft has been using engineers in China to help maintain U.S. government cloud computing systems.

ProPublica described the supervision arrangements that were used for the Department of Defense's systems:

The arrangement, which was critical to Microsoft winning the federal government's cloud computing business a decade ago, relies on U.S. citizens with security clearances to oversee the work and serve as a barrier against espionage and sabotage.
But these workers, known as "digital escorts," often lack the technical expertise to police foreign engineers with far more advanced skills, ProPublica found. Some are former military personnel with little coding experience who are paid barely more than minimum wage for the work.

A similar system was used in the Government Community Cloud, which provided cloud systems for other federal departments including parts of Justice, Treasury, and Commerce.

Last week's Risky Business podcast contains an in-depth discussion of the security problems with outsourcing system support like this. Suffice to say that it is an absolute nonstarter from a security perspective.

ProPublica wrote that, although the digital escort system had been in place for nearly a decade:

[t]he program appears to be so low-profile that even the Defense Department's IT agency had difficulty finding someone familiar with it. "Literally no one seems to know anything about this, so I don’t know where to go from here," said Deven King, spokesperson for the Defense Information Systems Agency.

This beautifully illustrates that in outsourcing arrangements the client and service provider can have mismatched requirements. The Department of Defense wanted actual security, whereas Microsoft only had to provide the appearance of security.

In the immediate aftermath of ProPublica's article, Microsoft announced that China-based engineers would no longer be involved in maintaining U.S. government computing systems. Interestingly, Secretary of Defense Pete Hegseth also stated that "China will no longer have any involvement whatsoever" in Defense Department cloud services.

That only leaves engineers from India, the Philippines, Vietnam, Poland, … So, that's a win?

Three Reasons to Be Cheerful This Week:

1. Checkmate, BlackSuit: An international law enforcement action known as Operation Checkmate has seized the dark web domains of the BlackSuit ransomware group. The group started in 2002 when it was known as Quantum before rebranding to Royal and finally BlackSuit. The FBI and the Cybersecurity and Infrastructure Security Agency say the outfit has demanded more than $500 million in ransoms. Although this may mark the end of BlackSuit as a brand, Cisco Talos researchers believe former members of BlackSuit are now running Chaos ransomware.
2. New York water systems to get regulations and grants: New York state officials have proposed more stringent cybersecurity regulations that would require water systems to establish security programs, conduct risk assessments, and implement technical safeguards. They also announced a grant program to help organizations offset the cost of implementing these security measures.
3. Pressuring Starlink to stop serving scammers: Sen. Maggie Hassan (D-N.H.) is directing pointed questions at Starlink CEO Elon Musk about the company providing services to transnational scammers operating from compounds in Southeast Asia. When we looked at this back in March, it seemed that the company simply did not invest much effort in policing terms of service violations. We hope that political pressure will result in some action.

From Risky Bulletin:

U.S. seizes Chaos ransomware funds: The FBI has seized around $2.4 million worth of Bitcoin from the relatively new Chaos ransomware group.

According to the Justice Department, the funds were seized back in April but only now announced. The funds were taken from a crypto wallet owned by a Chaos member going by the name of Hors.

This seizure is interesting for one very particular reason—namely, that the Chaos ransomware is a new group. We have rarely seen the FBI crack down and go after a group within months of its launch.

[more on Risky Bulletin]

Aeroflot cancels flights after hack: Russia's national airline Aeroflot canceled more than 100 flights after a cyberattack. The flight cancellations impacted international and domestic flights landing or taking off from Moscow's main airport. Two hacktivist groups hacked Aeroflot's network and wiped thousands of servers. The Cyber Partisans and Silent Crow took credit for the intrusion. They allegedly wiped systems by rewriting files with anti-Putin insults. The groups also mocked Aeroflot for still using Windows XP and employees for storing passwords in text files. [Additional coverage in The Moscow Times]

Microsoft rolls out linkable token identifiers to help IR teams: Microsoft has released this week a new Entra security feature designed to help incident responders track down compromised accounts and malicious activity across organizations.

The new feature is named linkable identifiers, sometimes also referred to as linkable token identifiers in some of the Microsoft documentation pages—because, of course, anything Microsoft also has to be confusing.

It is a newly designed mechanism that generates multiple unique identifiers that are embedded inside user access tokens after users authenticate via Entra ID.

[more on Risky Bulletin]