The tech giant claims China is weaponizing vulnerabilities by hiding and stockpiling zero-day threats.

China’s offensive cyber capabilities are expanding quickly, according to Microsoft. The tech giant says the expansion is due to a 2021 law that effectively allows Beijing to build up an arsenal of unreported software vulnerabilities that they can weaponize at a later stage.

The Microsoft Digital Defense Report 2022 analyzes cyber threats from a variety of state actors. The researchers pay particular attention to China due to the nation’s recently introduced laws applying to the reporting of software vulnerabilities. “While we observe many state actors developing exploits from unknown vulnerabilities, China-based actors are particularly proficient at discovering and developing zero-day exploits”, the report reads.

China’s vulnerability reporting regulation went into effect in September 2021. Never before has a government required the reporting of vulnerabilities to a government authority prior to reporting the vulnerability to a product or service owner. “This new regulation might enable elements in the Chinese government to stockpile reported vulnerabilities toward weaponizing them”, Microsoft warns.

Expanding vulnerability lifecycles

“The increased use of zero days over the last year from China-based actors likely reflects the first full year of China’s vulnerability disclosure requirements for the Chinese security community and a major step in the use of zero-day exploits as a state priority”, the tech giant continued.

While zero-day vulnerability attacks initially tend to target a limited number of organizations, they’re often quickly adopted into the larger threat actor ecosystem. This kicks off a race among threat actors to exploit the vulnerability as widely as possible before their potential targets install patches.

The threat is clear: by stockpiling vulnerabilities and not reporting them to the service providers, China can ensure more time between the moment they first deploy a weaponized vulnerability and the moment a software developer delivers a patch, thereby allowing China to do the most damage before the vulnerability is resolved.