The tactics, techniques, and procedures (TTPs) and victimology observed during Secureworks incident response (IR) engagements suggest BRONZE SILHOUETTE targets organizations for intelligence-gathering purposes that are in alignment with the requirements of the PRC. Secureworks® Counter Threat Unit™ (CTU) researchers attribute this activity to BRONZE SILHOUETTE (referred to in the advisory as Volt Typhoon) and have observed the threat group conducting network intrusion operations against U.S government and defense organizations since 2021. National Security Agency (NSA) issued a joint cybersecurity advisory highlighting a cluster of activity it attributes to a People's Republic of China (PRC) state-sponsored threat group. In 2016, a powerful machine called Mayhem won the Cyber Grand Challenge, a cybersecurity competition held by the US Defense Advanced Research Projects Agency.On May 24, 2023, the U.S. “The policy effectively bought at least $4 million worth of research for free.” Robot Hacking Games
#Chinese espionage operations and tactics software#
“China’s policy that researchers must submit vulnerabilities to the Ministry of Industry and Information Technology creates an incredibly valuable pipeline of software capabilities for the state,” says Cary. However, as the Chinese government tightens control, this multimillion-dollar ecosystem is now delivering a steady stream of software vulnerabilities to Chinese authorities-effectively funded by the companies and at no cost to Beijing. That’s been the status quo since the bounty programs began booming in popularity a decade ago.
When the researchers report a bug, the companies can fix it. The American companies benefit from the participation of these Chinese researchers. In his congressional testimony last week, Cary said an unnamed large American firm had disclosed to him that Chinese researchers received $4 million in 2021. Multiple American companies host marketplaces where any tech firm can put its own products up for close examination in exchange for bounties to the researchers.īy any measurement, China ranks at or near the top in alerting American firms to vulnerabilities in their software. Over the last decade, the “bug bounty” model has provided millions of dollars to build a global ecosystem of researchers who find software security vulnerabilities and are paid to report them. The result was a public punishment of Alibaba and implicit warning for anyone else thinking of making a similar move.Ĭhina’s stricter policies have an impact well outside the country itself. We’ve seen one exception to this rule: an employee of the Chinese cloud computing giant Alibaba reported the famous Log4j vulnerability to developers at Apache instead of first delivering it to Chinese government authorities. “They get to choose what they’ll do with this, really increasing the visibility they have into the research being conducted and their ability to find utility in all of it.” “All of the vulnerability research goes through an equities process where the Chinese government gets right of first refusal,” says Adam Meyers, senior vice president of intelligence at the cybersecurity company CrowdStrike. This mandate was expanded with regulation requiring all software security vulnerabilities to be reported to the government first, giving Chinese officials unparalleled early knowledge that can be used for defensive or offensive hacking operations. No one other country exerts such tight control over such a vast and talented class of security researchers. And they must submit everything to government authorities beforehand-including any knowledge of software vulnerabilities they might be planning to exploit.
Now, however, if Chinese researchers want to go to international competitions, they require approval, which is rarely granted. Prizes worth hundreds of thousands of dollars incentivize people to identify security flaws so that they can be fixed. A hacking contest pits some of the world’s best security researchers against one another in a race to find and exploit powerful vulnerabilities in the world’s most popular tech, like iPhones, Teslas, or even the kind of human-machine interfaces that help run modern factories. “The Chinese have a unique system reflecting the party-state’s authoritarian model,” says Dakota Cary, an analyst at Georgetown’s Center for Security and Emerging Technology.Ĭhinese cyber researchers are effectively banned from attending international hacking events and competitions, tournaments they once dominated.
0 kommentar(er)
