China evaluates vulnerabilities for attacks before disclosure
CANCÚN, Mexico—Look no further than the spread of WannaCry, prompted by a leak last year of a Windows vulnerability the NSA had kept under wraps, for evidence of the importance of addressing and publicly disclosing computer and network vulnerabilities.
Security experts have criticized U.S. intelligence agencies for stockpiling zero-day vulnerabilities rather than urging software companies to patch and then disclose them. In a November report, cybersecurity intelligence company Recorded Future argued that China, a notorious censor, is better than the United States at alerting companies and the public about vulnerabilities it discovers.
A new Recorded Future report suggests that while China is readily disclosing vulnerabilities, it is manipulating its public record of disclosures to hide its approach in potentially using them.
READ MORE CHINA AND VULNERABILITY DISCLOSURE
New research explores how the Great Firewall of China works
‘State of Control’ explores harrowing consequences of China’s surveillance
Bug bounties break out beyond tech
The dark side of bug bounties
As bug bounties proliferate, hacking contests maintain strong pull
When to disclose a zero-day vulnerability
Recorded Future’s November report concluded that the Chinese National Vulnerability Database, or CNNVD, published vulnerabilities significantly faster than the U.S. National Vulnerability Database. At the same time, report authors Priscilla Moriuchi and Bill Ladd, respectively Recorded Future’s director of strategic threat development and chief data scientist, concluded that the Chinese agency running the database, the Ministry of State Security (MSS), first evaluates the most serious vulnerability discoveries to determine whether China could use them in cyberattacks.
In their new report, published March 9, Moriuchi and Ladd conclude that at least 267 critical vulnerabilities noted in the original report have since had their publication dates retroactively altered. They say their research confirms that MSS, China’s combined equivalent of the CIA and NSA, has changed the disclosure publication dates of vulnerabilities it has already evaluated (and passed on) for use in cyberattacks. Like U.S. intelligence agencies, they say, MSS likely is stockpiling undisclosed vulnerabilities it has not yet considered.
Companies and researchers need to carefully and skeptically consider cybersecurity information published by China, Moriuchi tells The Parallax.
“Large multinational companies have decided they can’t not do business in China,” she said in a phone call prior to Recorded Future CEO Christopher Ahlberg’s presentation of the research at the annual Kaspersky Security Analyst Summit (co-sponsored by Avast Software, which sponsors this site) here Friday. “But they can’t trust security information from the Chinese government.”
“Large multinational companies… can’t trust security information from the Chinese government.”—Priscilla Moriuchi, director of strategic threat development, Recorded Future
The MSS did not return requests for comment.
The research also concludes that MSS’ vulnerability disclosure date manipulation intentionally makes it harder for other countries and businesses to predict advanced persistent threats from China. Nation-states (and the hacker groups they support) often use APTs to steal data, undetected, over a sustained period of time. Because they generally employ encryption and mimic “normal” network behavior, the operations are hard to detect and stop.
To access and steal data stored on computers and networks, APT operations need to first exploit their vulnerabilities. Many of the biggest hacks since 2014 have been APTs. Those include hacks of Equifax in 2017, the Democratic National Committee in 2016, the U.S. government’s Office of Personnel Management in 2015, and Sony Pictures in 2014.
Because of their variety and complexity, it’s difficult to calculate exactly how costly these attacks are. But there’s no question that organizations are feeling compelled to better protect their systems: Research analysts at Gartner predict that cybersecurity spending will surpass $96 billion this year, up 8 percent from 2017.
“The Russians used to be quiet and the Chinese noisy; now it’s the other way around.”—Jim Lewis, director and senior fellow, Technology Policy Program at the Center for Strategic & International Studies
Despite growing evidence that APTs wouldn’t exist without the support of nation-states, including China, it’s good that China is publishing a vulnerability database at all, says Herb Lin, a computer security policy expert and research fellow at Stanford University’s Center for International Security and Cooperation.
Nobody should “be surprised” that the Chinese government has its hand heavily involved in vulnerability research, or that it is “hoarding vulnerabilities,” he says. “What’s surprising to me is that the Chinese have something like our own vulnerability equities process.”
China is “trying to weigh the benefits of disclosure versus the benefits of retention,” Lin says. “This is better than the alternative” of disclosing nothing.
In the wake of President Obama’s 2015 cybersecurity agreement with China’s President Xi, which was designed to address attempted theft of trade secrets, China has become more careful about how it conducts online attacks, says Jim Lewis, director and senior fellow of the Technology Policy Program at the Center for Strategic & International Studies in Washington, D.C.
China and Russia essentially have switched chairs at the geopolitical cybersecurity table, he says.
“One of the unexpected consequences of the Obama-Xi agreement is, [China has] become a lot stealthier. The Russians used to be quiet and the Chinese noisy; now it’s the other way around,” Lewis says. “The MSS is thinking about how to do things without getting caught.”