web analytics

China Using Powerful Hacking Firms to Run Its Espionage War – Source: www.databreachtoday.com

china-using-powerful-hacking-firms-to-run-its-espionage-war-–-source:-wwwdatabreachtoday.com
Rate this post

Source: www.databreachtoday.com – Author: 1

Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
,
Geo Focus: Asia

5 Cybersecurity Firms Provide Large Pool of Government-Funded Espionage Resources

Jayant Chakravarti (@JayJay_Tech) •
September 16, 2024    

China Using Powerful Hacking Firms to Run Its Espionage War
Oppo, a leading cybersecurity firm located in downtown Chengdu, Sichuan Province, China (Image: Shutterstock)

China’s cyberespionage campaigns, viewed as an extension of the communist regime’s wider geopolitical moves, rely on civilian hackers from domestic security firms for much of their success. Researchers say these groups face off in intense rivalries for lucrative government contracts.

See Also: New OnDemand | People-Centric Security for the Public Sector

While the relationship between these businesses and the government is private, a leak of information belonging to midsized Chinese cybersecurity company Anxun Information Technology Co., also known as iSoon, revealed what security researchers and China watchers have suspected: strong connections between the Chinese government and domestic cybersecurity companies through government contracts.

The iSoon leak of 577 files in a GitHub repository provided a glimpse into the murky, often corrupt environment in which domestic cybersecurity companies operate. Anxun executives actively used a combination of late-night parties, alcohol and women – along with loyalty to party ideology – to woo government officials and win lucrative contracts.

An analysis of the iSoon documents found that the Chinese cybersecurity company spied on government and private organizations in at least 22 countries on behalf of the Chinese government. The documents linked iSoon to Chinese state hacking groups tracked as RedHotel, RedAlpha and Poison Carp, which Recorded Future said were likely iSoon sub teams focused on specific missions (see: iSoon Leak Shows Links to Chinese APT Groups).

According to threat research firm Natto, Chengdu-headquartered iSoon operated out of six locations in China and had about 160 employees at the time of the leak, but only about 26 of them had a four-year university degree and handled sensitive operations. With these resources, iSoon claimed it breached organizations in more than 30 countries and had sophisticated tools in its arsenal to mount further attacks.

iSoon is a relatively small player in the Chinese cybersecurity community. The leaked documents indicate that the company’s revenues fell during the COVID-19 pandemic, partly due to the government investing resources elsewhere and partly due to the meteoric rise of rival cybersecurity companies that cornered the most lucrative government contracts.

Employee chat records from the leaked documents indicated that Qi An Xin, a leading cybersecurity company that worked on 90% of central government departments, government-led enterprises and banks, poached many of iSoon’s talented staff under the pretense of investing in the business but later withdrew its offer. “iSoon’s employee retention dilemma illustrates the big-fish-eat-small-fish atmosphere in the cybersecurity industry in China,” Natto said.

Major Chinese Vendors Hold All the Cards

According to Eugenio Benincasa, senior cyber defense researcher at the Center for Security Studies at ETH Zurich, China’s offensive cyber warfare strategy relies heavily on a small group of leading cybersecurity companies that hold a major share of central government cybersecurity contracts. These companies – namely Qihoo 360, Tencent, Cyber Kunlun, Oppo and Ant Group – lead the world in terms of bug bounty contributions to tech companies, including Google, Apple and Microsoft.

Chinese bug bounty hackers have performed admirably at global bug bounty contests and hackathons since at least 2013, and teams from Tencent and Qihoo 360 bagged 80% of the prize money at the Pwn2Own hacking contest in Canada in 2017. The next year, China barred vulnerability researchers from participating in international hackathons and launched Tianfu Cup exclusively for the domestic hacking community.

This shift immediately created new leaders in the market while displacing existing players. Qihoo 360, which reported 70% of all vulnerabilities to Android and 60% to Microsoft between 2017 and 2020, quickly lost prominence when leading Microsoft vulnerability researcher Yuki Chen left with the rest of his team to establish Cyber Kunlun and leading Android researcher Zinuo Han moved to Oppo in 2021.

Since 2021, Cyber Kunlun and Oppo have been the largest Chinese vulnerability contributors to Microsoft and Google, keeping the trend alive despite a ban on international participation from China. “Chen and Han belong to a relatively small yet influential cohort of superstar Chinese hackers whose research enormously benefits the security of critical U.S. products,” Benincasa said. “At the same time, it’s also likely that their findings are scrutinized by China’s intelligence agency, the Ministry of State Security, potentially for offensive or espionage objectives.”

In 2021, China implemented the Regulations on the Management of Network Product Security Vulnerabilities, forcing domestic vulnerability researchers to report vulnerabilities to authorities within 48 hours. The government also launched a China National Vulnerability Database, requiring whitelisted private companies to disclose vulnerabilities that are then assessed by state authorities.

According to the Atlantic Council, as many as 151 private cybersecurity companies upload information about software vulnerabilities to the vulnerability database managed by the 13th Bureau of the Chinese Communist Party’s Ministry of State Security.

“Each year, the researchers provide at least 1,955 software vulnerabilities to the MSS, at least 141 of which are classified as ‘critical’ severity. Once received by the MSS, they are almost certainly evaluated for offensive use,” the group said.

“China’s vulnerability pipeline provides its government agencies with a significant advantage over their Western counterparts,” Benincasa said. “By strategically positioning itself as the final recipient in the vulnerability disclosure processes of civilian researchers, the Chinese government effectively leverages some of the world’s top vulnerability researchers on a large scale and at no cost.”

The vulnerability acquisition process, he said, is a much faster and cost-effective process compared to acquiring zero-days from the dark markets or investing in its own vulnerability research team.

In research published in June, Benincasa described how China’s strategy of forcing vulnerability researchers to report zero-days to authorities is helping nation-state hacking groups compromise more zero-day vulnerabilities than any other country (see: China Using Hacking Competitions to Develop Domestic Talent).

Natto’s research reached a similar conclusion. Although the country is known for its top-down model of governance, authorities have been planning to involve private cybersecurity companies as partners to execute the government’s cyber strategy since the early 2000s. What helps the cause is that private companies are more than willing to compete for government contracts and even collaborate on joint projects.

“China’s resource of skilled cyber experts resides in private sector companies,” the company said. “These companies develop valuable tools for the state and local authorities to use, such as the products and services iSoon and its partner companies offer. These companies diligently discover vulnerabilities and develop exploits to improve their own efficiency so they can expand their business.”

To improve their competitiveness, Chinese cybersecurity companies constantly seek fresh talent from domestic hacking contests and leading universities that offer advanced cybersecurity courses. The government supports the initiative by encouraging more universities to offer security courses. According to a recent Global Times report, as many as 626 universities are now offering cybersecurity-related majors, including courses on cryptography, web security, privacy, and computer networks and security.

Original Post url: https://www.databreachtoday.com/china-using-powerful-hacking-firms-to-run-its-espionage-war-a-26296

Category & Tags: –

Views: 0

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

Joas Antonio
ChatGPT for Cybersecurity by Joas Antonio dos Santos – malwareanalysis #reverseengineering
ChatGPT for Cybersecurity by Joas...
CISO2CISO Notepad Series
How Can We Structure Cybersecurity Teams To Better Integrate Security In Agile At Scale?
How Can We Structure Cybersecurity...
OCCUPYTHEWEB
Linux Basics for Hackers by Occupytheweb
Linux Basics for Hackers by...
NIST
Digital Forensics and Incident Response (DFIR) Framework for Operational Technology (OT) by NIST – Eran Salfati and Michael Pease
Digital Forensics and Incident Response...
Think Big Blog
Top 10 TED Talks to Learn about Cyber Security
Top 10 TED Talks to...
NCSC
NCSC Cyber Security for Small Business “SMEs” Guide.
NCSC Cyber Security for Small...
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your...
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...
Joas Antonio
Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
Security Operations Center (SOC) –...
IZZMIER
Incident Response Playbooks & Workflows Ready for use in your SOC & Redteams
Incident Response Playbooks & Workflows...
LOGPOINT
396 Use Cases & Siem Rules Code ready for use for Mitre Attacks Events Detection in Your SOC by Logpoint
396 Use Cases & Siem...

LASTEST PUBLISHED POSTS

Google Cloud
Board of Directors Handbook for Cloud Risk Governance
Board of Directors Handbook for...
ISACA
Blueprint for Ransomware Defense
Blueprint for Ransomware Defense
Shaurya Rawal
Blockchain Security
Blockchain Security
RISK academy
BEST RISK MANAGEMENT PROMPTS FOR CHATGPT
BEST RISK MANAGEMENT PROMPTS FOR...
IGNITE Technologies
Best Alternative of Netcat
Best Alternative of Netcat
aws
AWS Security Incident Response Guide
AWS Security Incident Response Guide
DevSecOps Guide
Attacking Rust
Attacking Rust
DevSecOps Guide
Attacking Pipeline
Attacking Pipeline
DevSecOps Guide
Attacking Golang
Attacking Golang
HADESS
Assembly for Hackers
Assembly for Hackers
BIONIC
Application Security Posture Management
Application Security Posture Management
Wallarm
API ThreatStatsTM Report
API ThreatStatsTM Report

More Latest Published Posts

ChiefExecutive
Ciberseguridad: Prioridad Estratégica para los CEO.
Ciberseguridad: Prioridad Estratégica para los CEO.
CYBER SECURITY COALITION
CYBER SECURITY INCIDENT MANAGEMENT GUIDE
CYBER SECURITY INCIDENT MANAGEMENT GUIDE
INL/EXT
Cybersecurity for Distributed Wind
Cybersecurity for Distributed Wind
ARTIC WOLF
Cybersecurity Compliance Guide
Cybersecurity Compliance Guide
ESRAA MOHAMAD
ELEARN SECURITY CERTIFIED INCIDENT RESPONSE
ELEARN SECURITY CERTIFIED INCIDENT RESPONSE
DRAGOS
Impact of FrostyGoop ICS Malware on Connected OT Systems
Impact of FrostyGoop ICS Malware on Connected OT Systems
Victor Tong
Digital Operational Resilience Act – Control Mappings
Digital Operational Resilience Act – Control Mappings
ARMIS
DORA Resiliency Guide Strengthening Cybersecurity and Operational Resilience in the Financial Sector
DORA Resiliency Guide Strengthening Cybersecurity and Operational Resilience in the Financial Sector
IGNITE Technologies
Docker Penetration Testing
Docker Penetration Testing
IGNITE Technologies
Disk Group Privilege Escalation
Disk Group Privilege Escalation
Hiral Patel
Data LossPrevention(DLP)
Data LossPrevention(DLP)
Polygon
Digital identity – Deutsche Bank Corporate Bank
Digital identity – Deutsche Bank Corporate Bank
CSA Cloud Security Alliance
The Six Pillars of DevSecOps:Collaboration andIntegration
The Six Pillars of DevSecOps:Collaboration andIntegration
ASPIRE SYSTEMS
A complete guide toImplementingDevSecOps in AWS
A complete guide toImplementingDevSecOps in AWS
GAO
CYBERSECURITY PROGRAM AUDIT GUIDE
CYBERSECURITY PROGRAM AUDIT GUIDE
Apress
Demystifying Intelligent Multimode Security Systems An SystemsAn Edge-to-Cloud Cybersecurity Solutions Guide
Demystifying Intelligent Multimode Security Systems An SystemsAn Edge-to-Cloud Cybersecurity Solutions Guide
PWC
Data Privacy Handbook
Data Privacy Handbook
CERT-EU
DDoS Overview and Response Guide
DDoS Overview and Response Guide
IGNITE Technologies
Data Exfiltration Cheat Sheet
Data Exfiltration Cheat Sheet
CRC Press
Data Privacy for the Smart Grid
Data Privacy for the Smart Grid
New York State
Cybersecurity Program Template A resource to help individual licensees and individually owned businesses develop a cybersecurity program as required by New York State’s Cybersecurity Regulation 23 NYCRR Part 500
Cybersecurity Program Template A resource to help individual licensees and individually owned businesses develop a cybersecurity program as required by New York State’s Cybersecurity Regulation 23 NYCRR Part 500
Apress
Cyber Security on Azure An IT Professional’s Guide to Microsoft Azure Security
Cyber Security on Azure An IT Professional’s Guide to Microsoft Azure Security
CyberJA
ASSET IDENTIFICATION & CLASSIFICATION-A CRITICAL COMPONENT OF CYBER RISK MANAGEMENT
ASSET IDENTIFICATION & CLASSIFICATION-A CRITICAL COMPONENT OF CYBER RISK MANAGEMENT
SOSAFE
CybercrimeTrends 2024 The latest threats and security best practices
CybercrimeTrends 2024 The latest threats and security best practices
Routledge
Cyber Security Politics Socio-Technological Transformations and Political Fragmentation
Cyber Security Politics Socio-Technological Transformations and Political Fragmentation
Hidaia Mahmood Alassouli
Common Windows, Linux and Web Server SystemsHacking Techniques
Common Windows, Linux and Web Server SystemsHacking Techniques
Cigref
Surviving a Massive cyber-attack by Cigref
Surviving a Massive cyber-attack by Cigref
Splunk
SPLUNK® AND THE CIS CRITICALSECURITY CONTROLS Mapping Splunk Software to the CIS 20 CSC Version 6.0
SPLUNK® AND THE CIS CRITICALSECURITY CONTROLS Mapping Splunk Software to the CIS 20 CSC Version 6.0