Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Geo Focus: Asia

China Using Powerful Hacking Firms to Run Its Espionage War

5 Cybersecurity Firms Provide Large Pool of Government-Funded Espionage Resources
China Using Powerful Hacking Firms to Run Its Espionage War
Oppo, a leading cybersecurity firm located in downtown Chengdu, Sichuan Province, China (Image: Shutterstock)

China's cyberespionage campaigns, viewed as an extension of the communist regime's wider geopolitical moves, rely on civilian hackers from domestic security firms for much of their success. Researchers say these groups face off in intense rivalries for lucrative government contracts.

See Also: 2024 Fraud Insights Report

While the relationship between these businesses and the government is private, a leak of information belonging to midsized Chinese cybersecurity company Anxun Information Technology Co., also known as iSoon, revealed what security researchers and China watchers have suspected: strong connections between the Chinese government and domestic cybersecurity companies through government contracts.

The iSoon leak of 577 files in a GitHub repository provided a glimpse into the murky, often corrupt environment in which domestic cybersecurity companies operate. Anxun executives actively used a combination of late-night parties, alcohol and women - along with loyalty to party ideology - to woo government officials and win lucrative contracts.

An analysis of the iSoon documents found that the Chinese cybersecurity company spied on government and private organizations in at least 22 countries on behalf of the Chinese government. The documents linked iSoon to Chinese state hacking groups tracked as RedHotel, RedAlpha and Poison Carp, which Recorded Future said were likely iSoon sub teams focused on specific missions (see: iSoon Leak Shows Links to Chinese APT Groups).

According to threat research firm Natto, Chengdu-headquartered iSoon operated out of six locations in China and had about 160 employees at the time of the leak, but only about 26 of them had a four-year university degree and handled sensitive operations. With these resources, iSoon claimed it breached organizations in more than 30 countries and had sophisticated tools in its arsenal to mount further attacks.

iSoon is a relatively small player in the Chinese cybersecurity community. The leaked documents indicate that the company's revenues fell during the COVID-19 pandemic, partly due to the government investing resources elsewhere and partly due to the meteoric rise of rival cybersecurity companies that cornered the most lucrative government contracts.

Employee chat records from the leaked documents indicated that Qi An Xin, a leading cybersecurity company that worked on 90% of central government departments, government-led enterprises and banks, poached many of iSoon's talented staff under the pretense of investing in the business but later withdrew its offer. "iSoon's employee retention dilemma illustrates the big-fish-eat-small-fish atmosphere in the cybersecurity industry in China," Natto said.

Major Chinese Vendors Hold All the Cards

According to Eugenio Benincasa, senior cyber defense researcher at the Center for Security Studies at ETH Zurich, China's offensive cyber warfare strategy relies heavily on a small group of leading cybersecurity companies that hold a major share of central government cybersecurity contracts. These companies - namely Qihoo 360, Tencent, Cyber Kunlun, Oppo and Ant Group - lead the world in terms of bug bounty contributions to tech companies, including Google, Apple and Microsoft.

Chinese bug bounty hackers have performed admirably at global bug bounty contests and hackathons since at least 2013, and teams from Tencent and Qihoo 360 bagged 80% of the prize money at the Pwn2Own hacking contest in Canada in 2017. The next year, China barred vulnerability researchers from participating in international hackathons and launched Tianfu Cup exclusively for the domestic hacking community.

This shift immediately created new leaders in the market while displacing existing players. Qihoo 360, which reported 70% of all vulnerabilities to Android and 60% to Microsoft between 2017 and 2020, quickly lost prominence when leading Microsoft vulnerability researcher Yuki Chen left with the rest of his team to establish Cyber Kunlun and leading Android researcher Zinuo Han moved to Oppo in 2021.

Since 2021, Cyber Kunlun and Oppo have been the largest Chinese vulnerability contributors to Microsoft and Google, keeping the trend alive despite a ban on international participation from China. "Chen and Han belong to a relatively small yet influential cohort of superstar Chinese hackers whose research enormously benefits the security of critical U.S. products," Benincasa said. "At the same time, it's also likely that their findings are scrutinized by China's intelligence agency, the Ministry of State Security, potentially for offensive or espionage objectives."

In 2021, China implemented the Regulations on the Management of Network Product Security Vulnerabilities, forcing domestic vulnerability researchers to report vulnerabilities to authorities within 48 hours. The government also launched a China National Vulnerability Database, requiring whitelisted private companies to disclose vulnerabilities that are then assessed by state authorities.

According to the Atlantic Council, as many as 151 private cybersecurity companies upload information about software vulnerabilities to the vulnerability database managed by the 13th Bureau of the Chinese Communist Party's Ministry of State Security.

"Each year, the researchers provide at least 1,955 software vulnerabilities to the MSS, at least 141 of which are classified as 'critical' severity. Once received by the MSS, they are almost certainly evaluated for offensive use," the group said.

"China’s vulnerability pipeline provides its government agencies with a significant advantage over their Western counterparts," Benincasa said. "By strategically positioning itself as the final recipient in the vulnerability disclosure processes of civilian researchers, the Chinese government effectively leverages some of the world's top vulnerability researchers on a large scale and at no cost."

The vulnerability acquisition process, he said, is a much faster and cost-effective process compared to acquiring zero-days from the dark markets or investing in its own vulnerability research team.

In research published in June, Benincasa described how China's strategy of forcing vulnerability researchers to report zero-days to authorities is helping nation-state hacking groups compromise more zero-day vulnerabilities than any other country (see: China Using Hacking Competitions to Develop Domestic Talent).

Natto's research reached a similar conclusion. Although the country is known for its top-down model of governance, authorities have been planning to involve private cybersecurity companies as partners to execute the government's cyber strategy since the early 2000s. What helps the cause is that private companies are more than willing to compete for government contracts and even collaborate on joint projects.

"China's resource of skilled cyber experts resides in private sector companies," the company said. "These companies develop valuable tools for the state and local authorities to use, such as the products and services iSoon and its partner companies offer. These companies diligently discover vulnerabilities and develop exploits to improve their own efficiency so they can expand their business."

To improve their competitiveness, Chinese cybersecurity companies constantly seek fresh talent from domestic hacking contests and leading universities that offer advanced cybersecurity courses. The government supports the initiative by encouraging more universities to offer security courses. According to a recent Global Times report, as many as 626 universities are now offering cybersecurity-related majors, including courses on cryptography, web security, privacy, and computer networks and security.


About the Author

Jayant Chakravarti

Jayant Chakravarti

Senior Editor, APAC

Chakravarti covers cybersecurity developments in the Asia-Pacific region. He has been writing about technology since 2014, including for Ziff Davis.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.