Microsoft may revise a programme that shares coding flaws in its products with other companies after a suspected leak led to a sprawling cyberattack against thousands of Microsoft Exchange e-mail clients globally.

The technology giant is weighing how and when to share data with at least some of the 81 participants in the Microsoft Active Protections Programme (MAPP), according to six people familiar with it including existing members who sought anonymity citing a Microsoft non-disclosure agreement. The others requested anonymity because they aren’t authorised to discuss the matter publicly.

MAPP grants some customers information about vulnerabilities in Microsoft’s products and services days or weeks ahead of public disclosure. It is widely regarded by participants as a critical data-sharing tool to defend against potential attacks.

However, Microsoft fears MAPP participants may have tipped off hackers after the company shared a critical vulnerability with its top tier of members around 18 February, according to four people familiar with Microsoft’s investigation into the cause of the attack. Microsoft publicly released software updates to patch the problem on 2 March.

The company’s inquiry has focused on at least two Chinese companies as possible sources of the leak, according to the people familiar with the probe. Four MAPP participants said they’d recently disclosed detailed logs of network activity to Microsoft since the Exchange attack. In some cases, companies volunteered the data unprompted, while in others Microsoft requested additional data. The companies asked to remain anonymous, citing their non-disclosure agreement with Microsoft.

Chinese hackers

Microsoft’s vulnerability disclosure in late February was followed by one of the most efficient, wide-ranging cyberattacks in history. Microsoft has blamed state-sponsored Chinese hackers, dubbed Hafnium, for the attack which compromised more than 60 000 government, corporate and private e-mail systems around the world, much of which occurred over the last weekend in February.

Microsoft declined to comment on potential changes to MAPP, nor would the company discuss its MAPP disclosures in February or possible leaks by participants. The company said it remained committed to the programme and its wide-ranging list of members from the US, Israel, Russia, China, Japan, Australia, India and parts of Europe.

“We believe there are many benefits to mutual information sharing with the security community to help protect our mutual customers against attacks,” the company said in a statement. “We continue to evaluate how to best balance the benefits of this sharing with the risk of early disclosures.”

In response to queries, China’s ministry of foreign affairs stated: “China resolutely opposes any form of online attacks or infiltration. This is our clear and consistent stance. Relevant Chinese laws on data collection and handling clearly safeguards data security and strongly oppose cyberattacks and other criminal activity.”

China has proposed a global security standard that it says is “for the benefit of international digital governance” and urged others to work with it to safeguard global data security. “We hope the media adopts a professional and responsible attitude, relying on comprehensive evidence when determining the nature of cyberspace events, but not groundless speculation,” according to the ministry’s statement.

Until MAPP was created, both criminal hackers and computer researchers would wait for Microsoft to disclose patches on the second Tuesday of every month, known as “Patch Tuesday”. The two camps would then race to reverse engineer the patches in hopes of identifying the root vulnerability, which attackers could then exploit and defenders would attempt to protect against, according to Microsoft.

Patch Tuesday still exists. MAPP was started in 2008 to give some of Microsoft’s biggest customers a head-start against the criminals.

At least 13 Chinese companies have participated. Two of them have been removed. Hangzhou DPtech Technologies was kicked out in 2012 for breaching its non-disclosure agreement, according to Microsoft. A cybersecurity researcher found that Hangzhou had leaked evidence of a critical vulnerability in a Microsoft product to Chinese hackers.

Three tiers

Last year, Qihoo 360 Technology was removed after being the target of US-imposed export controls due to national security concerns, according to three people familiar with the matter. A year earlier, Microsoft named Qihoo 360, Tencent Holdings and Palo Alto Networks as the top contributors to MAPP.

MAPP is organised into three tiers: entry level, advance notification and validation. Members of the validation group — mostly virus-detection firms — are invited to receive vulnerabilities sometimes weeks ahead of public disclosure. Some of the details shared with MAPP participants are subject to a non-disclosure agreement.

Microsoft may elect to reshuffle members of the top tier, according to three people familiar with options being considered by the company. The Microsoft Security Response Centre, which runs MAPP, may also simply reassess how much critical intelligence they share with companies considered close to certain nations, including China, according to the people.

Microsoft could also embed a unique test in pieces of its code, known as a watermark, that serve as sort of digital bread crumbs in the event of a leak. It’s unclear if watermarks were used in the data distributed to MAPP participants in February, but Microsoft has previously used them and could reintroduce them in the future, according to one of the people.

Microsoft requires MAPP participants to share data and vulnerabilities the same way it discloses the bugs in its products. Multiple MAPP participants said that Microsoft’s requests for information have surged in recent years but especially in the months since the Exchange and SolarWinds cyberattacks. In the latter instance, which was publicly disclosed in December, Russian hackers infiltrated at least nine US agencies and 100-private-sector companies after installing malicious code in software updates for Texas-based SolarWinds.

But there are risks for Microsoft. Many of the companies on the MAPP list are presumed to have at least informal ties with the state security apparatus in their country of domicile, meaning Microsoft’s vulnerability disclosures may be shared with governments with some frequency, said one former MAPP member who asked not to be identified because of an NDA.

Microsoft is unlikely to remove any Chinese participants despite the possible Exchange leak, according to two people familiar with the MAPP review. But the company could limit how much data it shares with members in China, the people said. A Chinese cybersecurity law requires corporations to provide access to their technology and assist with investigations involving crime and national security.

If Microsoft were to eliminate MAPP participants in countries not politically aligned with the US, the company would handcuff part of its own intelligence operation. “While there are risks in partnering with Iranian, North Korean, Russian or Chinese companies, Microsoft also uses the programme to its advantage,” said Chester Wisniewski, a principal research scientist at the cybersecurity firm Sophos.

Realpolitik

Microsoft president and chief legal officer Brad Smith said in January 2020 that the company generates about 2% of its global sales from China, or about US$2.9-billion that year. The potential to enhance that revenue could motivate the company’s disclosure policies, said Robert Potter, CEO of Internet 2.0, a cybersecurity firm which advises the US and Australian governments.

“Like all large companies, Microsoft has to balance maintaining market access inside of China and security considerations,” Potter said. “Over time, this balance is getting harder to maintain and this introduces risks to other customers. The pressure is making that decision more binary.” — Reported by Kartikay Mehrotra, (c) 2021 Bloomberg LP