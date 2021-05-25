When Apple announced in a 2019 blog post that it had fixed a security flaw in its iOS operating system, the company sought to reassure its customers. The attack that exploited the vulnerability, Apple said, was tightly focused on websites featuring content related to the Uyghur community.

It has since emerged that the vulnerability in question was discovered during China’s leading hacking competition, the Tianfu Cup, where a professional hacker won an award for his discovery work. The normal protocol would be to notify Apple of the vulnerability. But he alleged that instead the breach was being kept a secret, with the Chinese government acquiring it for spy on the muslim minority in the country.

Hacking contests are an established way for tech companies like Apple to locate and remedy cybersecurity weaknesses in their software. But with state-backed hacks On the upside, the suggestion that the Tianfu Cup feeds Beijing into new ways of carrying out surveillance is concerning especially as Chinese competitors have dominated international hacking competitions for years.

When software is hacked, it’s often because attackers have discovered and exploited a cybersecurity vulnerability that the software vendor was unaware of. Find these vulnerabilities before they are spotted by state-sponsored cybercriminals or hackers can save tech vendors a huge amount of money, time, and PR firefighting.

That is why there are hacking competitions. Technology companies provide the prize money and cybersecurity researchers or professional hackers compete for it by uncovering security weaknesses hidden in the world’s most widely used software. The likes of Zoom and Microsoft Teams were successfully hacked at the Aprils Pwn2Own event, for example, which is considered the premier hacking competition in North America.

Until 2017, Chinese hackers left with a high proportion of price offered to Pwn2Own. But after a Chinese billionaire argued that Chinese hackers should stay in China because of the strategic value of their work, Beijing replied with ban Chinese citizens to participate in hacking competitions abroad. The Chinas Tianfu Cup was established soon after, in 2018.

In his first year, a hacker participating in the Tianfu Cup produced an award-winning hack he called chaos. Hacking could be used to remotely access even the latest iPhones, the type of breach that could easily be used for surveillance purposes. Google and Apple both spotted the hack in the wild two months later, after it was used in a targeted manner against Uyghur iPhone users.

Although Apple has mitigated piracy in two months, this case shows that exclusive national hacking competitions are dangerous, especially when they take place in countries that require citizens to cooperate with government demands.

Hacking competitions are designed to expose security flaws in zero-day vulnerabilities that software companies did not locate or predict. Award-winning hackers are supposed to share the techniques they’ve used so that sellers can find ways to fix them. But keeping zero-day exploits private or passing them on to government institutions dramatically increases the chances that they will be used in state-sponsored zero-day attacks.

We have already seen examples of such attacks. Beginning of 2021, four zero-day Microsoft Exchange server vulnerabilities were used to launch widespread attacks against tens of thousands of organizations. The attack was related to Hanium, a Chinese government-backed hacking group.

One year earlier, SolarWinds hack compromised the security of several federal agencies in the United States, including Treasury and Commerce Department and the Department of Energy, which is in charge of the country’s nuclear stock. The hack has been linked to APT29, also known as Cozy bear, which is the hacking arm of Russia’s foreign intelligence service, the SVR. The same group is said to have been involved in the hacking attempt organizations with information on Covid-19 vaccines as of July 2020.

In Russia and China at least, the evidence suggests that cybercriminal gangs work closely, and sometimes interchangeably, with state-funded hacking groups. With the advent of the Tianfu Cup, China appears to have access to a new pool of expert hacker talent, motivated by competition prizes to produce potentially dangerous hacks that Beijing might be willing to use both in its country. and abroad.

