China recently updated its laws to allow flaw hoarding
China is storing a number of files on security vulnerabilities that have not been disclosed to use later against its rivals within China and the West, Microsoft has claimed.
In a recent report the company reported the fact that China has recently updated its laws to permit the government to keep recently discovered vulnerabilities from public scrutiny. In this way, it will be able to utilize it again against weak endpoints(opens in a new tab) at the appropriate moment comes.
China has introduced an amendment to the law in 2021 that stipulated that when an organization discovers an issue, it had to first inform local authorities before making it open about it, The Register reminds. One year later The Atlantic Council reported on the outcomes of the new law – specifically, vulnerability reports that came from China declined, while anonymous reports were increasing.
“Particularly proficient” threat actors
“The increased use of zero days over the last year from China-based actors likely reflects the first full year of China’s vulnerability disclosure requirements for the Chinese security community and a major step in the use of zero-day exploits as a state priority,” Microsoft claims.
The Redmond firm also noted that Chinese threats were “particularly proficient” at discovering and exploiting zero-day vulnerabilities.
Microsoft’s report was not only on China however, since the document, which is 114 pages long, also includes Russia, Iran, and North Korea. For Russia the report focused specifically on one obvious aspect that the country’s “relentless targeting” of the Ukrainian government and its crucial infrastructure, within a larger military campaign against its southwestern neighbour, Iran “aggressively” sought for access to US vital infrastructure like ports and authorities.
North Korea, on the contrary, was continuing its campaign of theft of cryptocurrency from technology and financial firms to fund the government’s work.
“Although nation-state actors can be technically sophisticated and employ a wide variety of tactics, their attacks can often be mitigated by good cyber hygiene,” Microsoft concluded. “Many of these actors rely on relatively low-tech means, such as spear-phishing emails, to deliver sophisticated malware instead of investing in developing customized exploits or using targeted social engineering to achieve their objectives.”