Chinese Government's Hacker Competition Is Being Used To Find Exploits To Wield Against Uighur Citizens
from the aiding-and-abetting dept
Anything the Chinese government can weaponize against its Uighur Muslim population, it will. And has. Further details about an iPhone exploit discovered by Chinese hackers show the Chinese government got into the bug bounty program solely to find vulnerabilities to wield against the government’s least-liked residents.
Patrick Howell O’Neill’s article for MIT Technology Review points out Chinese hackers used to participate in popular hacking competitions like Pwn2Own, providing invaluable assistance to tech companies and tech users by finding vulnerabilities that could be patched before they were exploited by malicious hackers.
In 2017, Chinese participation in international competitions came to a halt. The founder and CEO of tech giant Qihoo 360 publicly criticized Chinese hackers for helping foreign tech companies find and patch security flaws. The CEO suggested this talent should stay at home and help the government find vulnerabilities to exploit.
That’s exactly what has happened. The Chinese government banned participation in foreign hacking competitions and started its own. The first homegrown event was won by a researcher working for Qihoo 360, who found an exploit that allowed malicious actors to take control of even the latest iPhones simply by steering the iPhone user to a webpage containing malware.
This was patched two months later by Apple, quietly and with little attention drawn to it. But incidents occurring in the two months between the discovery and the patch didn’t go unnoticed. Google’s security researchers observed unusual activity and wrote about it.
[I]n August of , Google published an extraordinary analysis into a hacking campaign it said was “exploiting iPhones en masse.” Researchers dissected five distinct exploit chains they’d spotted “in the wild.” These included the exploit that won Qixun [of Qihoo 360] the top prize at Tianfu, which they said had also been discovered by an unnamed “attacker.”
Now, more details about that string of attacks has been revealed. And it shows the Chinese government took the winning exploit and weaponized it against its Uighur population.
Shortly after Google’s researchers noted the attacks, media reports connected the dots: the targets of the campaign that used the Chaos exploit were the Uyghur people, and the hackers were linked to the Chinese government. Apple published a rare blog post that confirmed the attack had taken place over two months: that is, the period beginning immediately after Qixun won the Tianfu Cup and stretching until Apple issued the fix.
This has now been confirmed by another source: the US government. Its surveillance agencies also picked up on the malicious hacking efforts and noted their targeting of China’s favorite target of oppression. And it was the government’s intervention that sped up Apple’s response to the exploit.
The US quietly informed Apple, which had already been tracking the attack on its own and reached the same conclusion: the Tianfu hack and the Uyghur hack were one and the same. The company prioritized a difficult fix.
This is the sort of cooperation one prefers to see. The federal government has often portrayed Apple as an enemy — not just of agencies like the DOJ, but of the American public. In this case, the government worked with Apple to stop attacks on foreign citizens by a foreign government. The Chinese government made the most of this exploit for two months — one it obtained through a homegrown hacking competition that appears to exist solely to create offensive tech weapons for state-ordained hacking.
Meanwhile, the hacker who discovered the exploit and collected the cash (all while working for the company whose CEO called for Chinese hackers to stop helping foreign companies and start helping The Man stick it to locals and foreign adversaries) is trying to distance himself from the damage his exploit has wrought.
When we contacted Qixun Zhao via Twitter, he strongly denied involvement, although he also said he couldn’t remember who came into possession of the exploit code. At first, he suggested the exploit wielded against Uyghurs was probably used “after the patch release.”
Both of these claims are untrue. And both have been debunked by both independent research and US government surveillance. While it’s unwise to tangle with the Chinese government by refusing to hand over discovered vulnerabilities, it’s probably a little easier to sidestep that obligation by sitting out government-sponsored hacking competitions. In the end, this isn’t the researcher’s fault. The government chose to use it this way. But anyone entering a Chinese government-sponsored hacking competition is likely well aware any discoveries they make will be weaponized by an extremely oppressive government.