6 June 2024

From Vegas to Chengdu: Hacking Contests, Bug Bounties, and China’s Offensive Cyber Ecosystem

Eugenio Benincasa

Introduction

The Chinese government has created an elaborate multifaceted “hack-for-hire” ecosystem that is unlike anything we have ever seen before. The system grants Chinese security agencies exclusive access to zero-day vulnerabilities (box 1) identified by China’s top civilian hackers, and allows Beijing to subsequently outsource its espionage operations to private contractors. The author’s understanding of the various facets of China’s hack-for-hire ecosystem draws from prior research and sources, including:

1. Since 2014, the U.S. Department of Justice has been unveiling indictments against Chinese citizens engaged in malicious cyber activities, laying bare the inner workings and coordination of China’s offensive cyber ecosystem, which is characterized by a web of relationships between China’s intelligence agencies, private companies, and academia.

2. Since 2017, the anonymous group Intrusion Truth has exposed over 30 Chinese cyber operatives linked to six Advanced Persistent Threats (APTs). Predominantly based on open-sourceinformation, Intrusion Truth revealed connections between China’s IT sector, academia, and the nation’s intelligence agencies.

No comments: