Udayavni Special

A Chinese hacking competition may have given Beijing new ways to spy on the Uyghurs

PTI, May 24, 2021, 12:59 PM IST

When Apple announced in a 2019 blog post that it had patched a security vulnerability in its iOS operating system, the company sought to reassure its customers. The attack that had exploited the vulnerability, Apple said, was “narrowly focused” on websites featuring content related to the Uyghur community.

It has since emerged that the vulnerability in question was discovered at China’s principal hacking competition, the Tianfu Cup, where a professional hacker won a prize for his work in uncovering it. The normal protocol would be to inform Apple of the vulnerability. But it’s alleged that, instead, the breach was kept secret, with the Chinese government acquiring it to spy on the country’s Muslim minority.

Hacking competitions are an established way for technology companies like Apple to locate and attend to weaknesses in their software’s cybersecurity. But with state-backed hacks on the rise, the suggestion that the Tianfu Cup is feeding Beijing new ways to perform surveillance is concerning – especially seeing as Chinese competitors have dominated international hacking competitions for years.

Hacking competitions When software is hacked, it’s often because attackers have found and exploited a cybersecurity vulnerability that the software vendor didn’t know existed. Finding these vulnerabilities before they’re spotted by cyber-criminals or state-backed hackers can save technology providers a huge amount of money, time and public-relations firefighting.

That’s why hacking competitions exist. Tech companies provide the prize money and cybersecurity researchers – or professional hackers – compete to win it by finding the security weaknesses hidden in the world’s most-used software. The likes of Zoom and Microsoft Teams were successfully hacked in April’s Pwn2Own event, for instance, which is regarded as the top hacking competition in North America.

Until 2017, Chinese hackers walked away with a high proportion of prizes offered at Pwn2Own. But after a Chinese billionaire argued that Chinese hackers should “stay in China” because of the strategic value of their work, Beijing responded by banning Chinese citizens from competing in overseas hacking competitions. China’s Tianfu Cup was set up shortly after, in 2018.

In its first year, a hacker competing in the Tianfu Cup produced a prize-winning hack he called “Chaos”. The hack could be used to remotely access even the latest iPhones – the kind of breach that could easily be used for surveillance purposes. Google and Apple both spotted the hack “in the wild” two months later, after it had been used in a targeted way against Uyghur iPhone users.

Though Apple mitigated the hack within two months, this case shows that exclusive national hacking competitions are dangerous – especially when they take place in countries that require citizens to cooperate with government demands.

Hacking competitions are designed to expose “zero-day” vulnerabilities – security weaknesses that software vendors haven’t located or foreseen. Prize-winning hackers are supposed to share the techniques they used so that the vendors can devise ways to patch them up. But keeping zero-day exploits private, or passing them on to government institutions, significantly increases the chance they’ll be used in state-backed zero-day attacks.

Zero-day attacks We’ve seen examples of such attacks before. Early in 2021, four zero-day vulnerabilities in the Microsoft Exchange server were used to launch widespread attacks against tens of thousands of organisations. The attack has been linked with Hanium, a Chinese government-backed hacking group.

A year earlier, the SolarWinds hack compromised the security of multiple US federal agencies, including the Treasury and Commerce Department and the Energy Department, which is in charge of the country’s nuclear stockpile.

The hack has been linked to APT29, also known as “Cozy Bear”, which is the hacking arm of Russia’s foreign intelligence service, the SVR. The same group was reportedly involved in the attempted hacking of organizations holding information about COVID-19 vaccines in July 2020.

In Russia and China at least, evidence suggests that gangs of cybercriminals are working closely, and sometimes interchangeably, with state-sponsored hacking groups. With the advent of the Tianfu Cup, China appears to have access to a new talent pool of expert hackers, motivated by the competition’s prize money to produce potentially harmful hacks that Beijing may be willing to use both at home and abroad.

Udayavani is now on Telegram. Click here to join our channel and stay updated with the latest news.

Top News

Focus on developing toys, games that present every aspect of Indianness in interesting, interactive ways: PM at Toycathon-2021

Jaishankar compliments officials for timely passport delivery despite pandemic

Guj: Rahul Gandhi appears before Surat court in defamation case

Rajnath Singh begins visit to Karwar naval base, Kochi

Bengaluru: Father, step-mom held for torture of 3 minors

Manipal: Cylinder blast in house, valuables, household items burnt into ash

Gift of mobility: Kundapur youth makes wheeled prosthetic for injured stray dog

Related Articles More

McAfee antivirus software creator dead in Spanish prison

ISRO, NOAAA-led multinational project endorsed by UN body

IBM, IISc launch hybrid cloud lab in Bengaluru

Twitter invites users to test its monetization features

Chandrayaan instrument gives outstanding science results on solar corona and heliophysics


Udayavani News Bulletin 23-06-2021

Food Crisis In North Korea

Bomb blast near Hafiz Saeed’s House


Sanchari Vijay’s brother Virupaksha clarifies the rumors

Latest Additions

Focus on developing toys, games that present every aspect of Indianness in interesting, interactive ways: PM at Toycathon-2021

Former BJP corporator stabbed to death in Bengaluru

Jaishankar compliments officials for timely passport delivery despite pandemic

Guj: Rahul Gandhi appears before Surat court in defamation case

Sonia Gandhi asks partymen to work to address vaccine hesitancy

Thanks for visiting Udayavani

You seem to have an Ad Blocker on.
To continue reading, please turn it off or whitelist Udayavani.