How China’s Cyber Ecosystem Feeds Off Its Superstar Hackers

How China’s Cyber Ecosystem Feeds Off Its Superstar Hackers

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Panther.

This newsletter is going on a one week break and the next edition will be on 27 June.

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

‎Risky Business News: Srsly Risky Biz: China’s superstar hackers on Apple Podcasts
‎Show Risky Business News, Ep Srsly Risky Biz: China’s superstar hackers - 12 June 2024
China's superstar hackers, Stable Diffusion

A new report explores how effectively the Chinese state leverages civilian talent for state-sponsored cyber operations. 

From Vegas to Chengdu, by Eugenio Benincasa from the Center for Security Studies at ETH Zurich, focuses on the links between Chinese hacking contests and bug bounties and the country's cyber espionage programs. Interestingly, it finds that PRC vulnerability discovery efforts in recent years depend highly on just 'a handful' of Chinese researchers

The report pulls together information made public over the past several years to comprehensively summarise evidence the PRC funnels vulnerability research into state-sponsored espionage efforts.

Shortly after 2014, Chinese security researchers began dominating international hacking competitions. 

The paper analyses the performance of Chinese security researcher teams at the Pwn2Own hacking competition. In 2014 Chinese teams won just 13% of the total prize money. By 2017, this had risen to nearly 80%. 

Around this time the Chinese government appears to have decided to harness its researchers' vulnerability research capabilities for state purposes. Chinese researchers were banned from attending hacking competitions held outside the country and in 2018 an equivalent domestic event, the Tianfu Cup, was held in Chengdu. 

An iOS exploit chain published at that competition was subsequently discovered in watering hole attacks against Uyghur Muslims. Uyghurs are an oppressed minority population in the Western Chinese province of Xinjiang.

The report documents other compelling evidence that Chinese hacking competitions feed talent and exploits to state-backed cyber espionage programs. 

The report says companies linked to Chinese state-sponsored cyber operations sponsor hacking competitions. Security firm Topsec, which has been linked to the 2015 breach of US insurance giant Anthem, sponsors the Tianfu Cup. And the i-SOON cyber espionage contracting firm created the 'Anxun Cup' hacking competition to attract talent. 

i-SOON's employees also believed that exploits from the Tianfu Cup were funnelled through the provincial branches of security agencies for contractors to use in cyber operations. 

The Chinese government also has regulations which mandate that vulnerability disclosure information be passed through official agencies that have links to the Ministry of State Security (see diagram below).

China's offensive cyber ecosystem, From Vegas to Chengdu 

One benefit of this system is that it allows civilian hackers’ research to be captured for use in state programs without them being directly involved. The paper provides evidence some of China's elite hackers have ethical standards. Accomplished hacker He Qidan (aka Edward Flanker) lost his job at Chinese e-commerce firm Pinduoduo for refusing to participate in what he described as unlawful activities. Pinduoduo's apps were booted from the Play Store last year for using several 0days to hack users' devices. 

We've heard directly from individual Chinese security researchers that they are motivated to improve global security and not by nationalistic fervour. But it is not clear what elite hackers in general think about working for Chinese national security purposes.  

These elite hackers really matter. The report analysed the contribution Chinese researchers made to Google, Microsoft and Apple bug bounty programs, and found that a handful of individuals made an outsized contribution. For example, the report describes how credit is assigned to individuals with different research teams in the Qihoo 360 security firm: 

The success of the Chinese teams is often credited to a small number of individuals. From 2017 to 2020, over 60% of vulnerabilities reported by Qihoo’s 360 C0RE to Google Android were submitted by Mingjian Zhou, either individually or in collaboration with a few additional team members. Within 360 Alpha nearly all vulnerabilities were reported by Guang Gong, whereas in 360 IceSword, over half were reported by Chen Gengjia, either individually or in collaboration with other team members. Han Zinuo contributed to over 50% of vulnerabilities reported by 360 SRC to Google Android. And in the case of Qihoo’s 360 Vulcan Yuki Chen was responsible for 68% of the team’s submitted vulnerabilities to Microsoft.

These are superstar security researchers and their impact is reflected in vulnerability discovery numbers:

Fluctuations in a team’s contributions can often be traced back to a single individual transition between companies. This has been particularly true since 2020. For example, when Han Zinuo switched from 360 SRC to OPPO in 2020, submissions from 360 to Google Android decreased significantly, while OPPO saw a substantial increase, largely due to Han's contributions. Likewise, when Yuki Chen moved from 360 Vulcan to Cyber Kunlun in 2020, Microsoft witnessed a significant decrease in contributions from 360 Vulcan. Cyber Kunlun meanwhile experienced a remarkable surge, with Chen being responsible for 62% of the team’s submissions to Microsoft. Sangfor experienced a significant boost when former 360 C0RE member Peng Zhiniang joined the company as a CTO in late 2020. Following Peng's arrival, Sangfor's vulnerabilities contributions to Microsoft surged, and the company secured third place in the Tianfu Cup 2023.

An interesting observation in the report is that the hacking targets at the 2023 Tianfu Cup shifted away from Western products towards Chinese ones. The Chinese government is trying to reduce the country's dependency on foreign software and hardware (known colloquially as 'Delete America'), so a focus on domestic software makes sense to improve its resilience.  

Also, internal security is a very high priority for Chinese security services and if targets shift to Chinese-built software, security services will follow suit. It's a happy coincidence then, that a focus on domestic software at the Tianfu Cup will also be useful for finding vulnerabilities that organisations like the Ministry of State Security will be able to exploit. 

It is worth remembering that the two examples we have where vulnerabilities were exploited shortly after disclosure at a conference or hacking contest have targeted two of the Chinese Communist Party's 'Five Poisons'—Hong Kong pro-democracy groups and Uyghur Muslims. (Tibetans, Taiwanese and the Falun Gong are the other three). 

The report describes a fairly well integrated talent ecosystem that comprises hacking contests, bug bounties, universities, private contractors and intelligence agencies. This ecosystem is more deliberately constructed than the US equivalent, which grew organically without top-down direction. It's worth a read to understand what these ecosystems look like when the state can directly capture vulnerability research talent. 

A Joint Collaborative Sense of Impending Doom

Recommendations to change the way CISA's Joint Cyber Defence Collaborative (JCDC) works are grim news for the initiative.

The idea behind the JCDC was to 'unify cyber defenders from organisations worldwide' by gathering, analysing and sharing actionable information. Unfortunately that hasn't worked out and back in May, Politico covered a 'wave of discontent' with the JCDC. One criticism was that CISA had staffed the JCDC with lawyers and policy operatives rather than technical experts.  Another was that the CISA's anti-disinformation work had put the JCDC offside with conservatives, even though the JCDC did not directly deal with the subject. 

Last week, The Record reported on recommendations for the JCDC issued by CISA's Cybersecurity Advisory Committee. The recommendations address:

  • The JCDC's day-to-day activities: more operational collaboration, less policy. 
  • Clear criteria for JCDC membership.
  • Expanded and more developed coordinating structures.

Um, so in effect these recommendations say the JCDC hasn't got the what, the who or the how of what it does right. And given the JCDC's work has become a political target we think it better to just kill the damn thing. 

Three Reasons to Be Cheerful This Week:

  1. Security help for hospitals from Google, Microsoft: The White House announced that Google and Microsoft would provide discounted cyber security services and education to US rural hospitals. The assistance is welcome because these types of hospitals are in a tough spot from a cyber security perspective. Most rural hospitals are small with limited resources, and patients don't have practical alternatives within a reasonable distance if operations are disrupted by a cyber incident. 
  2. Apple launches Passwords app: Among other new security features, Apple launched a new password manager app for its operating systems at its World Wide Developer Conference this week. Managing passwords is a thankless job for all users so it is good to see functionality that has been hidden in Apple's Keychain made more visible and accessible. 
  3. FCC proposes routing security rules: The US Federal Communications Commission has proposed new reporting requirements aimed at encouraging broadband providers to lift their game when it comes to the security of Border Gateway Protocol (BGP). Providers would need to prepare and update BGP security risk assessment plans and report on progress implementing RPKI-based security measures

In this Risky Business News sponsor interview, Catalin Cimpanu talks with Panther Senior Engineering Manager Nicholas Hakmiller on how the IT market is adapting to the cybersecurity skill shortage by training regular software talent in detection engineering, how AI is not there yet, and how Panther excels at spotting initial account compromise.

‎Risky Business News: Sponsored: Panther on how the market is moving towards detection engineers on Apple Podcasts
‎Show Risky Business News, Ep Sponsored: Panther on how the market is moving towards detection engineers - 9 June 2024


Shedding Light On The Snowflake Campaign 

Mandiant has released a report that sheds light on the campaign targeting Snowflake customers.

Mandiant attributes the campaign to a financially motivated group it calls UNC5537 which obtained access via customer credentials captured by infostealer malware (malware that steals valuable information such as credentials or access tokens) that had infected customer's systems. Mandiant says it "identified hundreds of customer Snowflake credentials exposed via infostealers since 2020". 

In successful compromises MFA was not configured, credentials had not been rotated (in some cases they were valid years after they had been stolen) and affected Snowflake instances did not have controls in place to allow only access from trusted locations.

The report said Snowflake and Mandiant had notified around 165 potentially exposed organisations to date.

UNC5537 Snowflake attack path, Mandiant

Dutch Blow Lid On Chinese Party

Dutch military intelligence, the MIVD, has revealed that a Chinese cyber espionage campaign targeting Fortinet's FortiGate devices is much larger than previously thought and had gained access to at least 20,000 systems worldwide. 

The MIVD reported on the malware used in the campaign in February this year when it found compromised FortiGate devices in Dutch Ministry of Defence networks. It said:

Since its publication in February, the MIVD has continued to investigate the broader Chinese cyber espionage campaign. This revealed that the state actor gained access to at least 20,000 FortiGate systems worldwide within a few months in both 2022 and 2023 through the vulnerability with the identifier CVE-2022-42475 . Furthermore, research shows that the state actor behind this campaign was already aware of this vulnerability in FortiGate systems at least two months before Fortinet announced the vulnerability. During this so-called 'zero-day' period, the actor alone infected 14,000 devices. Targets include dozens of (Western) governments, international organisations and a large number of companies within the defence industry.

Today's newsletter is brought to you by Detection-as-Code company Panther... and, in what we think is a first, they've released a detection-as-code graphic novel... called Guardians of Valora. It teaches the five key principles of Detection-as-Code... grab it now from

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq talk about how the use of cyber operations in Ukraine is informative but information is incomplete. Rather than clarifying the role of cyber operations in conventional warfare there is still a lot of room for confirmation bias. 

‎Risky Business News: Between Two Nerds: The cyber Rorschach test on Apple Podcasts
‎Show Risky Business News, Ep Between Two Nerds: The cyber Rorschach test - 10 June 2024

From Risky Biz News:

Apple's WWDC 2024 security lineup: Apple is holding its yearly Worldwide Developers Conference (WWDC) this week in Cupertino, and the company has announced several security-related features on the first day of the event.

This year's biggest announcement is Private Cloud Compute, a new feature that will take user data and process it inside an encrypted cloud server. This feature will be used for new Apple AI services that require more processing power than is available on the user's device.

Apple says the data will be stored on servers that use custom-built hardware and run a custom operating system. Data is sent to PCC servers only with the user's approval, and Apple says that even its staff with administrative rights can't access or view it. Everything, of course, is wrapped in cryptographic protocols.

A technical description of this entire convoluted process is available here, and Apple says it will make PCC server software images available for security research.

[more on Risky Business News, including Apple's new Passwords app and iOS18 security features]

Microsoft budges on Windows 11 Recall: Microsoft has cracked under the public's pressure and is rolling out changes to its upcoming Windows 11 Recall feature. The company says Recall will ship disabled by default for all upcoming Windows 11 compatible systems. Users will be able to activate Recall only if they previously enrolled in the Windows Hello biometrics authentication system. Recall data will also be encrypted and accessible only after users have authenticated via Windows Hello. The Recall feature has been a PR disaster for Microsoft over the past month. Users have reacted negatively to the news that Recall would be taking snapshots of their screen every five seconds and storing sensitive information in an unencrypted local database. Microsoft says it made changes to Recall after feedback from its customers.

Interpol plugs Red Notices leak: Moldavian authorities have arrested four individuals suspected of sharing information about Interpol Red Notices with wanted fugitives, including cybercrime suspects.

The scheme was uncovered earlier this year by the UK NCA during a separate cybercrime investigation. Authorities say a criminal group paid bribes of several millions of US dollars to Moldavian public servants to provide early warning of Interpol Red Notice arrest warrants.

The early warning allowed wanted individuals to seek asylum or refugee status in Moldova or other countries, a process that triggers the deletion of Red Notices from the Interpol database.

[more on Risky Business News]