The West's Tepid China Deterrence Is Not Working

Written by

Tom Uren

Policy & Intelligence

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray . It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Nucleus Security .

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed .

The exploitation of Microsoft SharePoint vulnerabilities by Chinese hackers is a near-exact re-run of the 2021 Microsoft Exchange server mass compromise event . 

The 2021 incident elicited a strong international diplomatic response, but this SharePoint saga makes it clear these efforts failed to deter China from embarking on a similarly damaging campaign again, four years later. A different, bigger picture, approach is needed. 

In both cases:

• Serious vulnerabilities that could be used for remote compromise are discovered in on-premise Microsoft products (Exchange in 2021, SharePoint in 2025).
• The vulnerabilities are disclosed to Microsoft and patches prepared.
• Some vulnerability details are shared with trusted security vendors in the Microsoft Active Protections Program (MAPP) ahead of patches being publicly released.
• Exploitation of these vulnerabilities begins in the days prior to patches being released, leading Microsoft to investigate whether information had leaked from MAPP ( SharePoint , Exchange )
• China-based actors systematically take advantage of the vulnerabilities. Exploitation is narrowly targeted for espionage initially, but quickly becomes indiscriminate and for criminal purposes including for the deployment of ransomware.
• Most vulnerable servers are compromised, such that hundreds of thousands of Exchange servers and likely tens of thousands of SharePoint servers are impacted.

Microsoft attributed the 2021 Exchange hacks to a Chinese state-sponsored group it now calls Silk Typhoon (at the time it was known as Hafnium ). 

Fast forward a few years and three China-based actors are exploiting this month's SharePoint hacks, according to Microsoft. Two of them, Linen Typhoon and Violet Typhoon, are state-backed groups who typically steal intellectual property and engage in espionage. The third, Storm-2603, has been stealing SharePoint MachineKeys, which would allow access to servers even after they've been patched. It has also been deploying ransomware, although Microsoft says it "is currently unable to confidently assess the threat actor's objectives".

The striking similarity between the 2021 Exchange and 2025 SharePoint incidents underlines the fact that the current toolkit of public diplomatic pressure and indictments, coupled with occasional arrests, has simply not worked. 

In the wake of the 2021 Exchange free-for-all the US, the European Union, NATO and other allies publicly called out the hacks and the "PRC's pattern of malicious cyber activity". This was the largest international condemnation of Chinese hacking, but the co-ordinated finger-wagging was not associated with any sanctions or concrete punishments at the time.

Earlier this month the US Department of Justice announced the arrest in Italy of a Chinese hacker allegedly involved in the 2021 Exchange hacks. Arrests are good, but they occur so infrequently it is unlikely they will have any real deterrent effect on Chinese hackers.  

The Trump administration has indicated that it is keen to take the gloves off in cyberspace. Speaking at the RSA conference earlier this year, Alexei Bulazel, Senior Director for Cyber and Special Assistant to the President, said per CyberScoop :

"I think deterrence in cybersecurity is actually very hard," he said. "I think there's a lot we could do to increase costs on these actors," adding that a response should show adversaries that "if you come do this to us, we'll strike back and we'll punch back, and administrations before us have been hesitant to do that." 

We support more robust disruptive cyber operations, but we don't think that punching back in retaliation should be a priority. 

The SharePoint hackers have grabbed an opportunity for an intelligence win, here. That hurts, but there is a bigger picture to consider. In cyberspace the US and China are involved in an ongoing intelligence contest and are even preparing for real-world conflict . 

Offensive cyber operations should be prioritised based on whether they will help the US win in cyberspace, not based on which group of hackers scored the last intelligence coup. 

And it's hard to see what retaliatory operations against the groups involved would achieve. Wipe their computers? Dox the operators? Collect intelligence for indictments? All these would be irritants rather than deterrents as there is no ongoing operation to disrupt.

There are already examples of US actions focussed on these strategic threats, including the takedown of a botnet used by Volt Typhoon, the group preparing to disrupt critical infrastructure. More of these, please. 

Clorox vs Cognizant Lawsuit: The Transcripts Are Hilarious  

Last week bleach maker Clorox launched a lawsuit against Cognizant, the IT company whose contracted services included password recovery assistance for Clorox staff. This serves as a reminder that outsourcing something as simple as help desk support may reduce costs but can come with loss of control and increased risk that ends up biting organisations in the rear. 

Clorox alleges hackers were able to breach its network simply by asking the service desk staff for passwords. 

Per Clorox's lawsuit :

Cognizant was not duped by any elaborate ploy or sophisticated hacking techniques. The cybercriminal just called the Cognizant Service Desk, asked for credentials to access Clorox's network, and Cognizant handed the credentials right over. Cognizant is on tape handing over the keys to Clorox’s corporate network to the cybercriminal—no authentication questions asked.

The Clorox lawsuit alleges that Cognizant's help desk staff reset passwords and multi-factor authentication (MFA) for the hackers without verifying their identities. Clorox claims that service desk personnel did not follow the "very specific and comprehensive procedures for credential support requests" that it had instructed Cognizant to implement. 

At first glance, these allegations are shocking. However, they haven't been tested in court and there could be mitigating factors. For example, ransomware incident response firm Coveware has found that , in several incidents where social engineering was used against outsourced IT providers, the incentives for the support team to resolve issues quickly actually "abetted the social engineering".

Clorox's lawsuit also alleges that Cognizant didn't provide on-tap expertise to respond to the developing cyber security incident. It claims that reinstalling a security tool removed by the attackers took too long, and personnel assigned to assist in recovery didn't have the deep understanding of Clorox's systems that would be expected after managing them for 10 years.  

Cognizant's response to several media outlets is:

It is shocking that a corporation the size of Clorox had such an inept internal cybersecurity system to mitigate this attack. Clorox has tried to blame us for these failures, but the reality is that Clorox hired Cognizant for a narrow scope of help desk services which Cognizant reasonably performed. Cognizant did not manage cybersecurity for Clorox.

When Clorox outsourced some helpdesk services to Cognizant ten years ago, it likely didn't realise that it was losing control over how it could respond in a cyber security crisis. 

To paraphrase the project management triangle , your options are: convenient, cheap and secure. Pick two. Opt for quick and painless IT help desk support and you may get Scattered Spidered.

Microsoft's Chinese Support Agents Were Accessing US DoD Systems

In another story that speaks to the perils of outsourcing, we learned earlier this month that Microsoft has been using engineers in China to help maintain US government cloud computing systems.

ProPublica described the supervision arrangements that were used for the US Department of Defense's systems: 

The arrangement, which was critical to Microsoft winning the federal government's cloud computing business a decade ago, relies on U.S. citizens with security clearances to oversee the work and serve as a barrier against espionage and sabotage.

But these workers, known as "digital escorts," often lack the technical expertise to police foreign engineers with far more advanced skills, ProPublica found. Some are former military personnel with little coding experience who are paid barely more than minimum wage for the work.

A similar system was used in the Government Community Cloud, which provided cloud systems for other federal departments including parts of Justice, Treasury and Commerce.

Last week's Risky Business podcast contains an in-depth discussion of the security problems with outsourcing system support like this. Suffice to say that it is an absolute non-starter from a security perspective.

Although the digital escort system had been in place for nearly a decade, ProPublica wrote:

The program appears to be so low-profile that even the Defense Department's IT agency had difficulty finding someone familiar with it. "Literally no one seems to know anything about this, so I don’t know where to go from here," said Deven King, spokesperson for the Defense Information Systems Agency.

This beautifully illustrates that in outsourcing arrangements the client and service provider can have mismatched requirements. The Department of Defense wanted actual security, whereas Microsoft only had to provide the appearance of security. ProPublica says the arrangement was "critical" to Microsoft winning the federal government's cloud computing business a decade ago. 

In the immediate aftermath of ProPublica's article, Microsoft announced that China-based engineers would no longer be involved in maintaining US government computing systems. Interestingly, Secretary of Defense Pete Hegseth also stated that "China will no longer have any involvement whatsoever" in DoD cloud services.  

That only leaves engineers from India, the Philippines, Vietnam, Poland … So, that's a win?

Watch Amberleigh Jack and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

1. Checkmate, BlackSuit: An international law enforcement action known as Operation Checkmate has seized the dark web domains of the BlackSuit ransomware group. The group started in 2002 when it was known as Quantum before rebranding to Royal and finally BlackSuit. The FBI and CISA say the outfit has demanded more than USD$500 million in ransoms. Although this may mark the end of BlackSuit as a brand, Cisco Talos researchers believe former members of BlackSuit are now running Chaos ransomware.  
2. New York water systems to get regulations and grants: New York state officials have proposed more stringent cyber security regulations that would require water systems to establish security programs, conduct risk assessments and also implement technical safeguards. They also announced a grant program to help organisations offset the cost of implementing these security measures. 
3. Pressuring Starlink to stop serving scammers: Democratic Senator Maggie Hassan is directing pointed questions at Starlink CEO Elon Musk about the company providing services to transnational scammers operating from compounds in Southeast Asia. When we looked at this back in March it seemed that the company simply did not invest much effort in policing terms of service violations. We hope that political pressure will result in some action.  

Sponsor Section

In this sponsored interview, Nucleus Security co-founder and COO, Scott Kuffer joins Casey Ellis to chat about how vulnerability management evolved into quite a lot more than just patch prioritization.

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed ( RSS , iTunes or Spotify ).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq discuss whether China's 'cyber militia' makes sense and what they could be good for. 

Or watch it on YouTube!

From

Risky Bulletin :

US seizes Chaos ransomware funds: The FBI has seized around $2.4 million worth of Bitcoin from the relatively new Chaos ransomware group.

According to the US Justice Department , the funds were seized back in April, but only now announced. The funds were taken from a crypto-wallet owned by a Chaos member going by the name of Hors.

This seizure is interesting for one very particular reason—namely, that the Chaos ransomware is a new group. We have rarely seen the FBI crack down and go after a group within months of its launch.

[ more on Risky Bulletin ]

Aeroflot cancels flights after hack: Russia's national airline Aeroflot canceled more than 100 flights after a cyberattack. The flight cancellations impacted international and domestic flights landing or taking off from Moscow's main airport. Two hacktivist groups hacked Aeroflot's network and wiped thousands of servers. The Cyber Partisans and Silent Crow took credit for the intrusion. They allegedly wiped systems by rewriting files with anti-Putin insults. The groups also mocked Aeroflot for still using Windows XP and employees for storing passwords in text files. [Additional coverage in The Moscow Times ]

Microsoft rolls out linkable token identifiers to help IR teams: Microsoft has released this week a new Entra security feature designed to help incident responders track down compromised accounts and malicious activity across organizations.

The new feature is named Linkable Identifiers , sometimes also referred to as Linkable Token Identifiers in some of the Microsoft documentation pages—because, of course, anything Microsoft has to also be confusing.

It is a newly designed mechanism that generates multiple unique identifiers that are embedded inside user access tokens after users authenticate via Entra ID.

[ more on Risky Bulletin ]