There is now a growing global concern that China’s cyber offensives against foreign targets are increasingly becoming more effective because of the sophisticated fusion of its civilian technological institutions with their military counterparts, something the democratic countries are finding difficult to replicate.

Ever since President  Xi Jinping unveiled China’s ambition to transform into a “cyber power” in 2014, Beijing has reportedly invested billions of dollars to realize it. This vision has simultaneously been pursued with large investments, organizational refinements within and across security agencies, and the establishment of relevant legal frameworks to bolster China’s offensive cyber and defensive capabilities.

However, what is not so well-known is the role that  China’s civilian hacker community has played in this endeavor, working in tandem with and supporting state efforts.

China’s primary civilian hacking teams and their research are believed to focus now on Western products and systems by examining their participation in prominent hacking competitions and bug bounty programs. These teams are said to be affiliated with companies that collaborate with government agencies on a wide spectrum of cyber activities, including supplying them with a significant number of vulnerabilities for offensive purposes.

AfriPrime App link:  FREE to download...

https://www.amazon.com/Africircle-AfriPrime/dp/B0D2M3F2JT

China is increasingly using these companies to find vulnerabilities in their own computer networks and then tapping that knowledge to target foreign nations and industries.

Last month, US and British officials publicly warned of a growing cyber threat from China. The White House cyber director said Beijing was capable of causing havoc in cyberspace, and a UK spy agency chief warned of an “epoch-defining” challenge.

It may be noted that in April, US officials had alleged a sweeping cyberespionage campaign dubbed “Volt Typhoon” in which Chinese hackers broke into dozens of American critical infrastructure organizations, using a vast global network of compromised personal computers and servers. FBI Director Christopher Wray had viewed this as China’s broader intent to deter the U.S. from defending Taiwan.

A significant piece of research by Eugenio Benincasa, a Senior Researcher in the Cyber Defense Project with the Risk and Resilience Team at the Center for Security Studies (CSS) at ETH Zürich, highlights how China is strengthening its cyber offensives.

His recent paper, titled “From Vegas to Chengdu: Hacking Contests, Bug Bounties, and China’s Offensive Cyber Ecosystem,” reveals how a sophisticated system has been developed in China that enables attackers to gain unauthorized access, navigate through a network, pilfer data, or compromise a system.

Some of the important revelations in this study are being highlighted in the following paragraphs :

The Chinese hackers are evaluated based on their performance at the “Hacking Competitions” they participate in, both in China and abroad (the bug bounty programs of Apple, Google Android, and Microsoft, for instance).

These competitions incentivize participants to analyze the newest types of security threats, assess them, and practice remediating such issues.

Chinese hackers may be roughly divided into two distinct groups. Prominent Chinese researchers who have distinguished themselves by winning or participating in prestigious competitions are often affiliated with level 1 Technical Support Units (TSU), which are Chinese companies that have links with  China’s premier intelligence agency, the Ministry of State Security (MSS). These researchers have refined their abilities over time through incentives offered by international hacking competitions and bug bounty programs, with Western products and systems frequently being their most sought-after targets. But they are not directly linked to Chinese state-sponsored cyber operations; it is their companies that are linked.

The second group encompasses non-public-facing government-contracted hackers. These individuals have not participated in hacking competitions and are not generally contributors to bug bounty programs.

AfriPrime App link:  FREE to download...

https://www.amazon.com/Africircle-AfriPrime/dp/B0D2M3F2JT

China’s hack-for-hire ecosystem essentially works as follows: The contracted hackers execute cyber operations, while the elite researchers focus on vulnerability research and cybersecurity startup creation. This helps the contracted hackers meet immediate mission requirements and sustains China’s broader offensive cyber ecosystem in the medium and long run.

This setup effectively saves prominent or elite researchers from professional or reputational risks because of their non-direct involvement in malicious state-sponsored activities.

This setup is also said to reflect China’s Military-Civil Fusion (MCF) initiative. The MCF initiative seeks to harness the synergy between commercial and defense advancements, leveraging civilian talent to enhance and support the Chinese military.

China’s cybersecurity ecosystem is bolstered by expanding professional and educational opportunities in the domestic offensive cyber sector. According to statistics from the China Cybersecurity Industry Alliance (2023), the cybersecurity sector is poised for sustained growth in the coming years, with a projected market size exceeding 11 billion USD by 2025.

Cybersecurity education in China has also gained momentum, with over 200 domestic universities offering cybersecurity or information security majors as of March 2023. Hacking competitions have become integral to the cybersecurity curriculum.

Since the early 2010s, Chinese teams from a limited number of universities and companies have emerged as leading contenders in the most challenging and prestigious international hacking competitions, including the famous DEFCON CTF (a hacker convention held annually in Las Vegas, Nevada ) and Pwn2Own (the computer hacking contest organized by the CanSecWest Applied Security Conference;  it is now held twice a year in Vancouver).

At DEFCON, one such team, the Blue Lotus, first reached the finals in 2013. From then until 2023, between one and four Chinese teams have consistently reached the finals each year, representing the only significant challenge to US dominance.

Similarly, at Pwn2Own, the winnings of Chinese participants increased from 13% in 2014 to 79% in 2019 of the total prize money awarded to all participants.

Chinese hackers have also been top contributors to the bug bounty programs of prominent US-based companies. From 2017 to 2023, China alone contributed 27% of all vulnerabilities submitted to the bug bounty programs of Apple, Google, Android, and Microsoft combined, while the rest of the world accounted for 59%.

Individual Chinese researchers and teams have garnered numerous recognitions, frequently figuring among the top spots in these programs’ rankings of best researchers and teams for both the caliber and quantity of the vulnerabilities they have uncovered.

These achievements led to the establishment of China’s own world-class hacking competitions, the creation of influential startups, and the development and expansion of some of today’s top Chinese security research teams and laboratories.

In alignment with China’s MCF policy, the Chinese government has systematically utilized the above cyber-related civilian resources for strategic purposes. Various entities, including universities and companies, collaborate with the Chinese government across a spectrum of cyber activities.  On the private sector and academic side, the collaborations can range from a single individual hacker or professor to entire teams comprised of both students and seasoned cybersecurity professionals.

In other words, “the demarcation line separating China’s military and civil domains in cyberspace has become particularly fluid or has entirely vanished,” argues Benincasa. China’s civilian hackers are getting increasingly “weaponized.”

AfriPrime App link:  FREE to download...

https://www.amazon.com/Africircle-AfriPrime/dp/B0D2M3F2JT