Hacking Contests, Bug Bounties, and China’s Offensive Cyber Ecosystem
The Chinese government has created an elaborate multifaceted “hack-for-hire” ecosystem that is unlike anything we have ever seen before. The system grants Chinese security agencies exclusive access to zero-day vulnerabilities (box 1) identified by China’s top civilian hackers, and allows Beijing to subsequently outsource its espionage operations to private contractors. The author’s understanding of the various facets of China’s hack-for-hire ecosystem draws from prior research and sources, including:
- U.S. Indictments (2014-2024)¹: Since 2014, the U.S. Department of Justice has been unveiling indictments against Chinese citizens engaged in malicious cyber activities, laying bare the inner workings and coordination of China’s offensive cyber ecosystem, which is characterized by a web of relationships between China’s intelligence agencies, private companies, and academia.
- Intrusion Truth (2017-2023)2: Since 2017, the anonymous group Intrusion Truth has exposed over 30 Chinese cyber operatives linked to six Advanced Persistent Threats (APTS). Predominantly based on open-source- information, Intrusion Truth revealed connections between China’s IT sector, academia, and the nation’s intelligence agencies.
- Dakota Cary and Kristin Del Rosso’s “Sleight of Hand” report (2023)3: This report showed how China’s military and intelligence agencies gain access to zero-day vulnerabilities discovered by private sector cybersecurity research teams. The report identified numerous Chinese companies that contribute feed vulnerabilities to China’s intelligence apparatus. Based on the number of vulnerabilities submitted, the Chinese government categorizes these companies along three tiers.
- i-SOON Analyses (2024): In 2024, a data dump uploaded on GitHub revealed the inner workings of Chinese government contractor i-SOON. The leaked documents showed that i-SOON was extensively engaged in Chinese espionage activities. A subsequent report by French threat intelligence company Harfang named “A Comprehensive Analysis of i-SOON’S Commercial Offering,” and Winona Bernsen’s “Same same, but Different”s report for Margin Research, analyzed the i-SOON dump and provided significant operational insights into China’s hack- for-hire system.
This CSS cyber defense report will explain how the Chinese offensive cyber ecosystem thrives through varying degrees of state involvement with civilian hackers. In this report, the term “civilian hacker” en- compasses both Chinese students and professionals engaged in hacking competitions and bug bounty programs for non-malicious purposes and without the distinct aim of furthering state-aligned goals. Where applicable, the term “civilian hacker” is speci- fied by using the terms “vulnerability researchers” or “civilian researcher.”
Mandated by law to collaborate with Chinese govern- ment security agencies, the contributions of civilian hackers are most immediately observed through the identification and dissemination of zero-day vulnera- bilities to government agencies. As of this writing, Chinese state actors are exploiting more zero-days in absolute numbers than any other country, as revealed by Google Mandiant’s James Sadowski and Casey Charrier in their March 2023 write up “Move, Patch, Get Out the Way: 2022 Zero-Day Exploitation Contin- ues at an Elevated Pace.”6 The impact of China’s civil- ian research teams also extends beyond merely dis- covering vulnerabilities, fueling a less quantifiable yet robust and self-reinforcing offensive cyber ecosystem.
Views: 1
