Competitions for young hackers are increasingly commonplace. One of the most popular was held in the UK, with teams placed into a cyber-physical environment and tasked with breaching the defenses of the facility and then successfully defending it from the attacks of their peers. The winners of the competition would then go on to compete in the Cambridge 2 Cambridge competition held at MIT that would allow the best young cyber minds from both sides of the Atlantic to pit their wits against one another.
Such competitions are usually framed as a great way for youngsters to test their skills in a competitive, yet largely harmless environment, while also helping to alert those in the industry of the best talent coming out of universities. What they generally aren’t branded as is an opportunity for state-led cyberattacks, yet that is a concern being labeled at China’s Tianfu Cup, which is regarded as the principal hacking competition in the country.
The accusations emerged in the wake of an announcement by Apple in 2019 that the company had patched a vulnerability in the iOS operating system after attacks had exploited the vulnerability to target websites running content on the Uyghur community that is widely believed to be exploited and discriminated against by the Chinese government. Except it has since emerged that the vulnerability was exposed at the Tianfu Cup, which is branded as China’s biggest and most prestigious hacking competition.
Such discoveries are commonplace in hacking competitions, with the Pwn2Own competition commonly seeing its competitors from around the world uncover previously unknown security flaws. The rules of the competition state that once the vulnerability is discovered, the details are given to the company involved to allow them to fix the hole before it reaches the wider world. The hacker gets bragging rights and a financial reward.
Many of these events have been dominated by Chinese hackers over the years. While it earned them considerable prize money and garnished their reputation as the elite of the hacking world, it was not something that got them on the good side of the Chinese government.
Rather than allowing these vulnerabilities to be plugged in return for a relatively small reward, the CCP would much rather the vulnerabilities found by the hackers be exploited for Chinese gain.
Changing the rules
Traditionally, hacking competitions have been an excellent way for tech firms to uncover vulnerabilities in their systems so that they can be addressed before they escalate into anything more serious. State-sponsored hacking is on the rise, however, and it’s hard to escape the notion that state-backed competitions, such as the Tianfu Cup, are thinly veiled fronts to aid state-backed cyber espionage.
Often in the fast-paced world of cybersecurity, the earlier a company can be made aware of a vulnerability the better it is, with a quick plugging of a gap capable of saving huge amounts of time, money, and prestige for the vulnerable firm. In many cases, this is why corporate-sponsored hacking competitions exist.
While they may be a good way to scout for the hottest talent in the field, hackathons are also a fantastic way to locate vulnerabilities in a relatively benign setting.
For instance, in the latest Pwn2Own event there were security holes found in the Microsoft Teams and Zoom platforms that have become so ubiquitous during the Covid-19 pandemic.
Over the years, Chinese hackers had come to dominate Pwn2Own, but their success attracted the attention of the Chinese state, which has begun to ban Chinese citizens from competing in hacking competitions overseas. Indeed, the Tianfu Cup was in part set up in response to this ban, in 2018.
Whereas traditionally such competitions have been designed to uncover holes in order to plug them, the Tianfu Cup has produced hacks that could be exploited. For instance, a few years ago the Chaos hack was awarded the top prize for enabling access to be gained remotely to the latest iPhones. It was a security hole that Apple spotted in public a few months after the competition, during which time it had been used as part of the campaign against Uyghur citizens by the Chinese state.
Even as Apple was eventually able to plug the hole, the fact that the vulnerability was both found in a state-sponsored hacking competition and then exploited to further state ambitions shows how dangerous such competitions are proving to be. The very fact that hacking competitions are designed to uncover weaknesses that vendors themselves are not yet aware of provides government institutions with an invaluable window to do serious damage.
The potential was illustrated earlier this year with the attacks on the Microsoft Exchange server, which capitalized on four zero-day vulnerabilities. The attacks targeted a huge number of organizations and were linked to the Chinese state-backed hacking group, Hanium.
There is growing evidence that the lines are blurring between cybercriminal gangs and state-sponsored hacking groups, with competitions such as the Tianfu Cup helping to uncover the next generation of talent. In an age where cyberespionage and cyberwarfare are increasingly prevalent risks, these competitions are becoming the breeding ground for hacks that states are willing and able to use both at home and abroad.