Å˽ðÁ«´«Ã½Ó³»­

Dustin Childs can still describe the best demonstration of a winning hack at an international tournament he’s ever seen. It happened almost a decade ago.

The participants had to find a way to break into a Windows workstation that was hardened with firewalls and up-to-date software to make it more secure. One member of a team from China into the Windows browser, he said, “and took their hands off the keyboard and that was it.”

The address triggered computer code that turned the Chinese team’s access from “guest” to “host,” giving them administrator rights and the ability to install whatever code or software — or malware — they wanted.

The top title at the tournament was called “Master of Pwn,” said Childs, who has been affiliated with the tournament since 2009 and is part of the Zero Day Initiative that runs it.

“We implemented that title in 2016. The Chinese companies won it at every competition until they stopped participating,” he said.

That international acclaim also drew the attention of critical eyes back home.

In 2017, the billionaire founder of Chinese cybersecurity firm Qihoo 360, Zhou Hongyi, publicly criticized Chinese participation in overseas hackathons, arguing that vulnerabilities discovered by Chinese experts should remain within that country’s borders. The criticism from Zhou, a member of a political advisory board to the Communist Party government, didn’t go unnoticed.

The following year, there were no Chinese teams competing at Pwn2Own. Instead, China started its own hacking tournament, called the Tianfu Cup. Participants were encouraged to hack into Apple operating systems, Google phones and Microsoft networks, to media .

But there was a difference. At Pwn2Own and other hacking competitions, the findings are reported to the companies that make the software or devices so they can fix them before hackers take advantage. Participants in Chinese hacking competitions are required to report them to the government first, .”In practice, this meant vulnerabilities were passed to the state for use in operations,” said Dakota Cary, a China-focused consultant at the US cybersecurity company SentinelOne.

One example, cybersecurity experts said, occurred in 2019, when that a flaw uncovered at the inaugural Tianfu Cup bore striking similarities with a hacking campaign targeting China’s persecuted Uyghur ethnic communities.

More recently, files attributed to a Chinese cybersecurity firm called i-Soon were posted on the code-sharing site GitHub, a purported data leak that suggested the contests, the government, and the cyber firms that were given access to those vulnerabilities were all connected. Among the chat records was a discussion between i-Soon employees noting a request to China’s Ministry of Public Security, the country’s main police agency, for zero-day vulnerabilities discovered at Tianfu Cup.

The documents indicated that the Tianfu Cup was a “likely vulnerability feeder system” for the ministry, said Winnona DeSombre Bernsen, a fellow at the Atlantic Council’s Digital Forensics Research Lab, who .

In March, several employees of i-Soon were charged by US authorities for carrying out cyberattacks at the direction of Chinese intelligence agencies. China rejects the allegations. I-Soon hasn’t responded to the charges and didn’t respond to requests for comment.

Asked about vulnerability disclosures, a spokesperson for China’s Ministry of Foreign Affairs said the reporting regulations “aim to prevent the leakage and unauthorized disclosure of vulnerable information.”

The regulations “explicitly support the direct provision of security vulnerability information to network product providers, including foreign organizations and individuals,” the spokesperson told Bloomberg reporters in Beijing.

Representatives for the Tianfu Cup could not be located for comment.

Flaws in computer software and mobile devices are relatively common, prompting periodic patches to the software and updates to the devices to fix them. For criminal hackers and cyber spies, flaws that aren’t previously known to the developers — known as zero days — are particularly valuable because no fix is immediately available, leaving systems exposed.

Some companies specialize in finding zero days and selling them to government intelligence agencies.

Pwn2Own was created in 2007 in Apple’s Mac OS X operating system. Since then, winners have been paid cash prizes for finding vulnerabilities, which are then shared with the software company or device maker to fix.

All the participants, including those from China, adhered to those rules. But the first year they were gone from Pwn2Own, in 2018, Beijing stated that vulnerabilities discovered at Chinese hacking competitions must be reported to the government, said Sentinel One’s Cary.

Three years later, data security laws that went into effect required that vulnerabilities discovered by Chinese researchers — whether they were found in contests or in the course of their work — went straight to the Chinese Ministry of Industry and Information Technology. The laws also from sharing vulnerability information with anyone before the Chinese government has had a chance to address them — with a 48-hour reporting deadline. There are stiff financial penalties and potential legal action for anyone who doesn’t comply.

China’s policy of requiring researchers to disclose computer bugs they find to the government distinguishes it from the US and other Western countries, experts said.

“The NSA doesn’t force us to disclose anything along those lines to them,” said Childs, referring to the US National Security Agency.

While it doesn’t force vulnerability disclosure, the NSA, the leading cryptology and signals intelligence organization in the US government, does its fair share of vulnerability hoarding, said Greg Austin, who has consulted with governments on China’s cyber and foreign policy for more than a decade. In one incident in 2016, a group called the Shadow Brokers released a cache of secret software exploits — essentially hacking tools — that were from the NSA.

“We’re talking about agencies like the Central Intelligence Agency and the National Security Agency who have discovered vulnerabilities that they don’t want to reveal so that they can attack systems in other countries,” he said. “China’s the same.”

Since the data laws have come into effect, China’s hacking breakthroughs have slipped further behind a wall of secrecy, experts said.

“There is a veil on the front side so we can’t see what they’re working on and what they’re working towards. We only see the results of it when it gets into the wild and actually gets demonstrated against a real live party,” Childs said.

Chinese hacking competitions have also evolved in recent years. Along with challenging participants to break into a Tesla or security software, now the events include Chinese electric vehicles, phones and computers, said Eugenio Benincasa, a senior cyber defense researcher at the Center for Security Studies at ETH Zurich, who closely monitors online reporting of these contests for clues about the challenges and what, if any, results are publicized.

The increased focus on Chinese domestic products aligns with Beijing’s broader policy objective known as “Delete America,” aiming for self-sufficiency in advanced technologies and reducing reliance on foreign suppliers, Benincasa said. It also comes as the US and China continue to restrict exports of key technology components to each other.

“It highlights the goal of fully domesticating China’s IT infrastructure, and replacing foreign-made core components, such as semiconductors, software, and databases, with Chinese-made ones,” Benincasa said.

Photograph: A person typing at a backlit computer keyboard arranged in Danbury, U.K., on Tuesday, Dec. 29, 2020. Photo credit: Chris Ratcliffe/Bloomberg

Topics Cyber China