Propublica is a nonprofit newsroom that investigates power abuse. Sign up and receive the biggest story as soon as it’s published.
Last month, Microsoft announced that Chinese state-sponsored hackers have leveraged vulnerabilities in SharePoint, a widely used collaboration software, to access computer systems from hundreds of companies and government agencies, including the National Nuclear Security Agency and the Department of Homeland Security.
However, the company did not include in its announcement that SharePoint support will be handled by a China-based engineering team that has been responsible for maintaining the software for many years.
ProPublica watched a screenshot of Microsoft’s internal work tracking system showing a recent fix by a China-based employee who has recently fixed a bug in SharePoint “OnPrem,” the version of software involved in last month’s attack. The term, which stands for “On Premises,” refers to software that is installed and run on the customer’s own computer and server.
Microsoft said the China-based team is “overseen by US-based engineers and is subject to all security requirements and manager code reviews. Work is already underway to shift this work elsewhere.”
It is unclear whether Microsoft’s China-based staff has any role in the SharePoint hack. However, experts say that enabling China-based personnel to provide technical support and maintenance of U.S. government systems could pose major security risks. Chinese law grants national officials a wide range of authority to collect data, and experts say it is difficult for Chinese citizens and companies to meaningfully resist direct requests from security forces or law enforcement agencies. The Director of National Intelligence has seen China as “the most active and lasting cyber threat to the US government, the private sector and critical infrastructure networks.”
In a story released last month, Propublica revealed that Microsoft has relied on foreign workers, including people based in China for 10 years, with surveillance from US-based personnel known as digital escorts to maintain the Department of Defense’s cloud system. However, these escorts often do not have the advanced technical expertise to police far more highly skilled foreigners, leaving highly sensitive information vulnerable, the research shows.
Propublica has discovered that Microsoft has developed an escort arrangement to satisfy Department of Defense officials who are concerned about the company’s foreign employees and to meet the department’s requirements that people with sensitive data are US citizens or permanent residents. Microsoft has won the federal cloud computing business and said in its revenue report it will “receive significant revenue from government contracts.” Propublica also discovered that Microsoft will use China-based engineers to maintain cloud systems for other federal sectors, including the Judiciary, the Treasury and some of the commercial.
In response to the report, Microsoft said it has stopped using China-based engineers to support the Department of Defense’s cloud computing system, and it is considering the same changes for other government cloud customers. Additionally, Secretary of Defense Pete Hegses has begun a review of the reliance on foreign-based engineers for high-tech companies to support the department. Sen. Tom Cotton, an Arkansas Republican, and Jeanne Shaheen, a Democrat from New Hampshire, have written to Hegses to request more information about Microsoft’s China-based assistance, citing a Proposoft investigation.
Microsoft said it was shown on July 7 that Chinese hackers were already using SharePoint’s weaknesses. On July 8th, the company released a patch, but hackers were able to bypass it. Microsoft then issued a new patch with “more robust protection.”
The US Cybersecurity and Infrastructure Security Agency said the vulnerability allows hackers to “have full access to SharePoint content, including file systems and internal configurations, and allow code to run on the network.” Hackers are also leveraging access to encrypt victims’ files and spreading ransomware that requires payment for releases, CISA said.
Microsoft may use China-based support for multiple US agencies to publish sensitive data
A DHS spokesperson said there was no evidence that data was obtained from the government agency. A spokesman for the Department of Energy, including the National Nuclear Security Agency, said in a statement that the agency was “minimally affected.”
“At this point, we know that there is no confidential or classified information that has been compromised,” the spokesperson said Ben Mortlich.
Microsoft says it will no longer support on-premises versions of SharePoint from July next year. It encouraged customers to switch to the online version of the product. This involves ongoing software subscriptions and usage of Microsoft’s Azure Cloud Computing platform, which generates more revenue. The strength of Azure Cloud Computing Business has been driving Microsoft’s stock price in recent years. On Thursday it became the second company in history to be valued at over $4 trillion.
Doris Burke contributed to his research.
