Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Training & Security Leadership

China Using Hacking Competitions to Develop Domestic Talent

Government Nurtures Homegrown Talent and Hack-for-Hire Ecosystem, Research Finds
China Using Hacking Competitions to Develop Domestic Talent
China has developed a zero-day vulnerability pipeline. (Image: Shutterstock)

China boasts some of the world's most talented cybersecurity researchers and white hat hackers, as well as a strict cybersecurity law compelling individuals to assist the state.

See Also: OnDemand | New Phishing Benchmarks Unlocked: Is Your Organization Ahead of the Curve in 2023?

This combination appears to contribute to China's nation-state hacking groups' prowess and ability to wield more zero-day vulnerabilities than any other country, as they support Beijing's robust cyberespionage agenda, as well as intellectual property theft on behalf of public and private entities, according to a new report from cybersecurity researcher Eugenio Benincasa.

Beijing is using domestic capture-the-flag and other hacking competitions to spot, develop and recruit new hacking talent domestically, as well as to gather and route information about zero-day flaws to the country's military and intelligence apparatus, according to Benincasa, who's a senior researcher in the Cyberdefense Project with the Risk and Resilience Team at the Center for Security Studies at Switzerland's public research university ETH Zurich.

"China has developed a multifaceted 'hack-for-hire' ecosystem for offensive purposes that is unlike anything we have ever seen before. This ecosystem heavily taps into the talents of the country's civilian hacking community," Benincasa said in a post to the social platform X.

By civilian hacking, he means students and professionals - including vulnerability researchers - who engage in white hat hacking, meaning it's done for non-malicious purposes or in a manner not explicitly designed to align with the state's goals.

"This system grants Chinese security agencies exclusive access to zero-day vulnerabilities identified by China's top civilian hackers, and allows Beijing to subsequently outsource its espionage and offensive cyber operations to private contractors," the report says.

Benincasa's new research into China's hacking-for-hire and the zero-day-gathering ecosystem arrives on the heels of repeat warnings from Western intelligence officials that China has been proactively hacking critical infrastructure to give itself the ability to crash networks. Officials say Beijing could use this capability if it attempts to seize control of Taiwan, to try and slow any military response by the United States and allies (see: UK, US Officials Warn About Chinese Cyberthreat).

For anyone who might question the prowess of Chinese civilian hackers that the government appears to be nurturing and tapping, the report offers ample evidence:

  • Bug bounty programs: From 2017 through 2023, 27% of all vulnerabilities reported to Apple, Google Android and Microsoft via their bug bounty programs came from Chinese researchers.
  • Def Con CTF: From 2013 through 2023, between one and four Chinese teams - oftentimes battling hundreds of other teams - reached the capture-the-flag finals at Def Con every year, making it the most successful country after the U.S.
  • Pwn2Own: From 2014 to 2019, the share of total prize money awarded to a "handful" of Chinese researchers - including teams from Tencent and Qihoo 360 - at the annual computer hacking conference rose from 13% to 79%, earning them millions, although in 2018 the Chinese government banned Chinese researchers from participating in such international competitions.

Multiple winners of hacking competitions have gone on to create China-based capture-the-flag competitions or launch startups that focus on discovering zero-day vulnerabilities that they route to Chinese military and security agencies, he said. These include such businesses as Nanjing Saining Network Security, aka Cyber Peace; StarCross Technology, aka Xinglan Technology; Chaitin Tech, founded in 2014 and acquired in 2019 by Alibaba Cloud, which is a major supplier to the Ministry of State Security, the China's principal civilian intelligence agency; and Bolean Technology, aka Mulian Internet of Things Technology.

Benincasa said the line between civilian hacking, Chinese universities with software engineering and science programs, and state-level hacking appears to be increasingly blurry. At least some of the private firms that contract with the government to provide cyberespionage services or weaponize vulnerabilities also appear to be highly entrepreneurial, proactively undertaking offensive hacking to exfiltrate data they'll then market to China's private sector.

Such activity appears to be continuing, as recent leaks confirm that China's domestically hosted Tianfu Cup hacking competition works as an "exploit feeder system" for the MPS, cybersecurity researcher Winnona Bernsen at Margin Research said in a February report.

"When proof-of-concept vulnerabilities submitted to Tianfu aren't already full exploit chains (ready to use), the Ministry of Public Security disseminates the proof-of-concept code to private firms to further exploit," she said.

In 2023, the focus of the Tianfu Cup shifted from targeting software built by Western firms to finding vulnerabilities in domestic products, including such word processing and office software as WPS, UF YounGIP, Zhiyuan Collaboration Operation Management Platform, Panwei OA and Qi An Xin Trusted Browser, Benincasa said. This could reflect a focus by Beijing on better securing its products against foreign hackers as well as on increasing the reputation of its products abroad, he said.

Much about how Beijing's hack-for-hire ecosystem functions remains unknown. New clues have continued to emerge, thanks to extensive research from threat intelligence firms and think tanks, U.S. Department of Justice indictments of Chinese nationals accused of working for front companies for advanced persistent threat groups, and leaks by hacktivists such as Intrusion Truth as well as a dump of documents earlier this year pertaining to Chinese government contractor iSoon (see: iSoon Leak Shows Links to Chinese APT Groups).

The leak of iSoon documents to GitHub from the private, Shanghai-based company paints a picture of a hacking contractor sporting a disaffected, poorly paid workforce that nonetheless penetrated multiple regional governments and possibly even NATO on behalf of China's espionage establishment.

Researchers have traced connections between iSoon and other technology firms such as Qihoo 360, which is China's largest antivirus firm. Bernsen at Margin Research reported that based on the leaks, Qihoo 360 appears to have sold customers' personal identifiable information "to an offensive company it funds that does intelligence work for government clients."

Open questions remain, such as how and when Chinese vulnerability researchers are allowed to submit their findings to vendors based abroad, as they clearly do.

"Despite Western vendors receiving a lot of information about zero-day vulnerabilities, the Chinese system continues to be effective in exploiting Western products. This raises the question as to why," Benincasa said. "Are these distinct individual zero-days and zero-day chains? Is it a patching problem? Or does Chinese efficiency stem from inadequate security practices among the targeted victims?"

Another potential explanation: The Chinese government may often choose to not delay, or to not delay much, in allowing flaws to be reported to major Western vendors, given that they could also be used to exploit Chinese Apple, Google Android or Microsoft products users. Might Beijing shoot itself in the foot if it doesn't let these bugs be reported and patched in a timely manner, since another country's intelligence agencies - or criminals - may have already discovered and begun to exploit them inside China?

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.