A Chinese hacking competition may have given Beijing new ways to spy on the Uyghurs


PTI, May 24, 2021, 12:59 PM IST

When Apple announced in a 2019 blog post that it had patched a security vulnerability in its iOS operating system, the company sought to reassure its customers. The attack that had exploited the vulnerability, Apple said, was “narrowly focused” on websites featuring content related to the Uyghur community.

It has since emerged that the vulnerability in question was discovered at China’s principal hacking competition, the Tianfu Cup, where a professional hacker won a prize for his work in uncovering it. The normal protocol would be to inform Apple of the vulnerability. But it’s alleged that, instead, the breach was kept secret, with the Chinese government acquiring it to spy on the country’s Muslim minority.

Hacking competitions are an established way for technology companies like Apple to locate and attend to weaknesses in their software’s cybersecurity. But with state-backed hacks on the rise, the suggestion that the Tianfu Cup is feeding Beijing new ways to perform surveillance is concerning – especially seeing as Chinese competitors have dominated international hacking competitions for years.

Hacking competitions When software is hacked, it’s often because attackers have found and exploited a cybersecurity vulnerability that the software vendor didn’t know existed. Finding these vulnerabilities before they’re spotted by cyber-criminals or state-backed hackers can save technology providers a huge amount of money, time and public-relations firefighting.

That’s why hacking competitions exist. Tech companies provide the prize money and cybersecurity researchers – or professional hackers – compete to win it by finding the security weaknesses hidden in the world’s most-used software. The likes of Zoom and Microsoft Teams were successfully hacked in April’s Pwn2Own event, for instance, which is regarded as the top hacking competition in North America.

Until 2017, Chinese hackers walked away with a high proportion of prizes offered at Pwn2Own. But after a Chinese billionaire argued that Chinese hackers should “stay in China” because of the strategic value of their work, Beijing responded by banning Chinese citizens from competing in overseas hacking competitions. China’s Tianfu Cup was set up shortly after, in 2018.

In its first year, a hacker competing in the Tianfu Cup produced a prize-winning hack he called “Chaos”. The hack could be used to remotely access even the latest iPhones – the kind of breach that could easily be used for surveillance purposes. Google and Apple both spotted the hack “in the wild” two months later, after it had been used in a targeted way against Uyghur iPhone users.

Though Apple mitigated the hack within two months, this case shows that exclusive national hacking competitions are dangerous – especially when they take place in countries that require citizens to cooperate with government demands.

Hacking competitions are designed to expose “zero-day” vulnerabilities – security weaknesses that software vendors haven’t located or foreseen. Prize-winning hackers are supposed to share the techniques they used so that the vendors can devise ways to patch them up. But keeping zero-day exploits private, or passing them on to government institutions, significantly increases the chance they’ll be used in state-backed zero-day attacks.

Zero-day attacks We’ve seen examples of such attacks before. Early in 2021, four zero-day vulnerabilities in the Microsoft Exchange server were used to launch widespread attacks against tens of thousands of organisations. The attack has been linked with Hanium, a Chinese government-backed hacking group.

A year earlier, the SolarWinds hack compromised the security of multiple US federal agencies, including the Treasury and Commerce Department and the Energy Department, which is in charge of the country’s nuclear stockpile.

The hack has been linked to APT29, also known as “Cozy Bear”, which is the hacking arm of Russia’s foreign intelligence service, the SVR. The same group was reportedly involved in the attempted hacking of organizations holding information about COVID-19 vaccines in July 2020.

In Russia and China at least, evidence suggests that gangs of cybercriminals are working closely, and sometimes interchangeably, with state-sponsored hacking groups. With the advent of the Tianfu Cup, China appears to have access to a new talent pool of expert hackers, motivated by the competition’s prize money to produce potentially harmful hacks that Beijing may be willing to use both at home and abroad.

Udayavani is now on Telegram. Click here to join our channel and stay updated with the latest news.

Top News

7 Indians among around 200 injured in German Christmas market attack

Gambhir Problems: He wants his team but will he get that?

From reel to real: Drug smuggler caught from theatre during ‘Pushpa 2’ show

Boxing Day Test: Fans wait for Kohli’s ‘Kingly’ outing at MCG

BJP MPs did not mention Indira herself voted to remove many provisions of 42nd Amendment: Ramesh

Puttur: Dinesh Gundu Rao highlights success of Home Health Scheme in Kolar, plans statewide expansion

Mangaluru: MP Brijesh Chowta emphasizes need for NIA in coastal Karnataka

Related Articles More

ISRO & ESA agree to cooperate on astronaut training, mission implementation

Snatcher lands in police net in Delhi, AI tech helps reveal identity

AI Meets Health: The Rise of Smart Fitness Solutions

Power Up by Powering Down: 10 Energy-Saving Tips for Every Home

Multi-lingual AI chatbot to assist visitors during Maha Kumbh Mela 2025

MUST WATCH

Tulunadu Daivaradane

Feeding Birds with Creative Paddy Art!

Areca Nut

HOTEL SRI DURGA BHAVANA

Harish Poonja


Latest Additions

Kundapura: Jet ski overturns in rough sea; Rider missing

7 Indians among around 200 injured in German Christmas market attack

Bengaluru: Woman posing as politician’s associate loots 3 kg gold

Belagavi: Man drives tractor over brother over property dispute, arrested

Gambhir Problems: He wants his team but will he get that?

Thanks for visiting Udayavani

You seem to have an Ad Blocker on.
To continue reading, please turn it off or whitelist Udayavani.