Ep.

101: Bug bounties with Chinese characteristics

[STINGER]

DINA TEMPLE-RASTON: To hear Kristin Del Rosso tell it, everything began with a weekend of
looking for bad guys on the internet…

KRISTIN DEL ROSSO: I was like, “Yeah, I was threat hunting with a friend” and everyone
laughed thinking, “Oh, that's hilarious.” And I was like, “I'm not joking. It just is something
that we were doing on the weekend.”

TEMPLE-RASTON: So they were analyzing data logs, scanning web directories…

Looking for some sign of badness other people might have missed.

DEL ROSSO: Not to sound like total nerds, but I wanted to go to this conference, and I was
like, “I need to find something new.”

TEMPLE-RASTON: Something new to present to her industry colleagues.

This was 2022, and Kristin was working at a cybersecurity firm called Sophos…

DEL ROSSO: And what happened was, I was going through some interesting web directories
and I saw what looked like someone who appeared to be pen testing against what was a
variety of energy facilities in China.

[MUSIC]

TEMPLE-RASTON: Pen testing… or penetration testing. It’s kind of like rattling the door
knobs to see if they’re locked…

They’re looking for vulnerabilities in software that even the company that made it might not
know exists.

The danger isn’t so much the glitch… it’s that the bad guys know about it, but no one else
does.
Vulnerabilities are like the holy grail for hackers, one of the best ways to sneak into a
network without being discovered…

Which is why they’re so sought after and so potentially dangerous…

Nation state hackers working for the military or the intelligence services actually consider
them a weapon…

So much so, they’ve been known to pay millions of dollars to buy them so they can leverage
them.

And as Kristin was poking around, she thought she spotted signs of someone — she wasn’t
sure who — who’d found one of those holes and was trying to see if it would let them into
networks they weren’t supposed to be in.

DEL ROSSO: I was like, “Well, this is interesting. Why does someone appear to be running
tests against, you know, 50 plus energy facilities in all these different districts?”

TEMPLE-RASTON: Whoever it was appeared to have found four vulnerabilities…

And they were testing to see if any of them would allow them to sneak into the system…

Sort of like trying various keys in a lock…

[KEYBOARD SOUND EFFECT]

TEMPLE-RASTON: Did this one get me into the network?

How about this one?

KRISTIN: And I was like, “This is interesting. Let's dig into this.”

TEMPLE-RASTON: Kristin went to the one place almost all threat hunters begin when they
spot something like this…

There are these publicly accessible databases with lists of known vulnerabilities and their
possible fixes…
Typically these databases are pretty complete.

Companies want to report bugs before some hacker takes advantage of them so they can
quickly send out a patch… and help maintain people’s confidence in their products.

When they find a bug, it gets added to these databases, which means when researchers like
Kristin run into a vulnerability they can just look it up and see if it’s a known one or a new
one…

And that’s what she did.

[KEYBOARD SOUND]

She started searching through the databases for the four bugs that the hacker was trying
to exploit… and almost right away she found the first three…

But the fourth one…

Kristin couldn’t find it anywhere… and the file name had a strange prefix… the letters
CNVD…

DEL ROSSO: It was listed as CNVD. And I have never seen that before. So I was like, let’s dig
into this.. And I looked up CNVD and I was like, “Oh goodness.”

Oh goodness because it turns out CNVD stood for the Chinese National Vulnerability
Database…

And Kristin thought, what the hell is that?

DEL ROSSO: this is a whole new database…and I just fell…into this rabbit hole and went
deeper and deeper.

A rabbit hole that took her into the world of Chinese computer bugs…

Middle Kingdom hackathons…

And what would turn out to be a very different, potentially dangerous way of using all those
vulnerabilities that companies dutifully report.

[THEME MUSIC]

TEMPLE-RASTON: I’m Dina Temple-Raston and this is Click Here, a podcast about all things
cyber and intelligence…

We tell true stories about the people making and breaking our digital world…

And today, an episode about the building blocks of hacking:

Vulnerabilities and exploits.

And how China is flipping the script on how the world thinks about them both

DEL ROSSO: In China they're saying, “we own everything. If you're operating here, we own it
all.”

TEMPLE-RASTON: Stay with us.

MIDROLL 1

TEMPLE-RASTON: Kristin Del Rosso didn’t start out as a computer geek.

She was one of those liberal arts kids, studying history and politics..

DEL ROSSO: I always thought I would want to get into international affairs, you know,
dreams of being maybe an ambassador or something.

TEMPLE-RASTON: And then a random conversation with a chief information security officer
at a conference changed all that.
DEL ROSSO: And I started small talk with a guy there who was the CISO of a company. Um,
over the course of the year, he introduced me to the team, kind of explained what they did.

TEMPLE-RASTON: They invited her into the office, and as weird as it sounds, they showed
her how to reverse engineer malware on an Android phone, which ended up getting her
thinking about just how much interesting information we’re carrying around in our pockets.

DEL ROSSO: If you talk to someone in the 80s and in the Cold War and said, “You know,
there's this device that everyone carries around on them and it has all their personal
information, all their photos, video cameras, their location, and they always have it on them
and you can get into it,” they would think that's like the best thing ever to spy on. And it's
like, yeah, that's your cell phone.

TEMPLE-RASTON: And the more she learned about cyber security, the more it seemed not
just to be incredibly interesting…

But to play to her strengths.

So she changed careers – she went off the ambassadorial track right into cybersecurity.

DEL ROSSO: From there, it went into tracking, you know, the malware generated, you know,
by different nation states targeting ethnic minorities or, you know, dissidents and civil right
activists.

TEMPLE-RASTON: Which is why Kristin ended up threat hunting with a friend on a weekend
just to see what they might find.

DEL ROSSO: Now I'm really into this whole malware and threat intelligence side of things.

[MUSIC]

TEMPLE-RASTON: If you want to crack into somebody’s network, you need two basic things:
a way to get in and a way to leverage that access once you’ve got it.

[SOUND FX: SCANNING DATABASE]

TEMPLE-RASTON: Getting into a network can include anything from phishing emails to
stolen logins and passwords to some unseen or unpatched mistake in software…
Code can be buggy. Everybody knows that. That's why you keep getting updates for your
smartphone…or operating system.

And while bugs aren’t necessarily dangerous, if bad people get their hands on them, it’s a
problem.

NEWS HEADLINE: Apple is urging users to update devices immediately after identifying a
major security flaw…

Yeah, it’s kind of scary. Experts say the issue could result in hackers getting complete
control over your device.

TEMPLE-RASTON: Which is why there are these vulnerability databases we talked about
before. They’re a kind of directory of coding mistakes, like a mugshot binder for bad code.

[SOUND FX: PRISON DOOR SHUTTING]

TEMPLE-RASTON: The idea is to help make products better and prevent bad guys from
breaking into networks and wreaking havoc.

There’s a nice one-for-all, all-for-one vibe to all of this…

Which is why lots of countries have started these databases…

And typically, to help keep things tidy and searchable, these databases use simple naming
conventions. Things like…

DEL ROSSO: CVE dash the year dash, whatever number of vulnerability is.

TEMPLE-RASTON: But if you look at China’s catalog of bugs, it’s not like that….

Not only are the naming conventions not very user friendly, the whole process seems
downright hostile.

For one thing, the database is only open from 8 am to 8 pm Beijing time.

[SOUND FX: STORE CHIME FOR CLOSING TIME]

VOICE (in Chinese): Good evening, the store is closed. (fade under)

VOICE (In English): Good evening, the store is closed. Thank you for shopping with us today.

[SOUND FX: STORE CHIME FOR CLOSING TIME]

DEL ROSSO: That was really annoying. It's a website. It's not like a nine to five storefront
shop. It should just be open all the time.

TEMPLE-RASTON: It was also just really difficult to make an account. And once she got in, it
kept knocking her out of the system.

DEL ROSSO: Every few clicks, it would say, you know, too much activity coming from this IP
address really limiting my ability in the United States to just review the content on the
website.

TEMPLE-RASTON (in interview): Is that normal?

DEL ROSSO: No, that's not normal at all.

TEMPLE-RASTON: The database is clearly tailored for people inside China.

DEL ROSSO: So it’s a lot harder for foreign researchers to understand what’s going on.

TEMPLE-RASTON: Which, she came to believe, is no accident.

DEL ROSSO: It's essentially, they it's showing how they're starting to isolate this because it's
for their own internal goals and purposes.

TEMPLE-RASTON: Maybe the biggest red flag was that usually when you find a particular
bug you see it pop up as the same file in various databases around the world.

But when Kristin dropped in code to search for this mysterious fourth bug, it kept coming
up with different identifiers.

DEL ROSSO: I could see that it was all, it had three different numbers on the three different
sites,
TEMPLE-RASTON: Three different numbers on three different sites.

It was like they were trying to mask it, or make it hard to track the bug.

So it started to dawn on her that the Chinese maybe were trying to hide this vulnerability.

DEL ROSSO: And that's where I started realizing, okay, well, this is really interesting. China’s
practicing hacking critical national infrastructure, hospitals, et cetera, stuff like that. And it's
using a vulnerability that I can't find in any of our databases.

TEMPLE-RASTON: As she investigated further, she realized that China appears to be using
their vulnerability databases in a very different way than the rest of the world.

That’s after the break.

Stay with us.

____________

MIDROLL 2
____________

[STINGER]

TEMPLE-RASTON: As Kristin dug into the vulnerability shell game China was playing, she
saw it went much deeper than she’d initially realized.

Because for as long as these databases have been around, they’ve treated all this like
something we’re all doing together.

Sharing information about vulnerabilities for free as part of the greater good.

But over the past six years, it appears China has taken a much different view.

And if you want to trace the shift back to its beginnings, it would lead you to a very famous
hackathon where contestants race to break into various systems.
PWN2OWN CONTEST TAPE: And welcome back to Vancouver for Day 2 of the Pwn2Own
Security Competition…

TEMPLE-RASTON: Pwn2Own is the world’s biggest hacking contest. It’s been going on since
2007.

PWN2OWN CONTEST TAPE: It has been a day full of fireworks downstairs…

TEMPLE-RASTON: The competition takes place in Canada, and teams come from all over the
world to see who can discover and exploit critical flaws in popular software products.

PWN2OWN CONTEST TAPE: He was able to evade all defensive mechanisms…

TEMPLE-RASTON: There are cash prizes, points awarded to various teams…

And typically, information about the vulnerabilities they find are turned over to vendors like
Google, and Adobe and Microsoft.

Chinese teams with names like 360 Security, TenCent and Ether edge were cleaning up at
these competitions.

PWN2OWN CONTEST TAPE: For his final act, he took out Apple Safari using a….

TEMPLE-RASTON: And things went this way for a long time.

But then, a few years ago, the Chinese government decided to do something a little
different.

DAKOTA CARY: The government, and the Ministry of Public Security, passed regulations
stating that vulnerability researchers could not leave China to participate in these
competitions.

TEMPLE-RASTON: This is Dakota Cary. He studies Chinese hackers for the Atlantic Council
and works at a U.S. cyber security company called Sentinel One.
He’s teamed up with Kristin to try to get to the bottom of what China was up to. And the
best that they can tell is the big shift banning Chinese hackers from foreign competitions
came around 2017.

CARY: And so they effectively were saying, “You can’t disclose these vulnerabilities overseas
for cash.”

TEMPLE-RASTON: China still wanted its hackers to find vulnerabilities — that was certain.
What they didn’t want to do is share them with the rest of the world. So, they brought it
in-house.

CARY: They set up their own competition inside China called Tianfu Cup.

TEMPLE-RASTON: The Tianfu Cup.

China’s answer to Pwn2Own – there are teams and cash and prizes – but the results stay at
home.

CARY: They give you the list of targets in advance, you show up, and if you're able to put the
exploits together, you can win a lot of money.

TEMPLE-RASTON: Consider the 2021 Tianfu. Chinese hackers there found vulnerabilities and
hackable flaws that were able to take down Google Chrome, Windows 10, and Mac’s iOs15
in just a matter of minutes.

And those vulnerabilities they’d discovered… Well, they didn’t go to waste.

CARY: A vulnerability from that competition was picked up by the Chinese government
within a day — and then used to target Uyghurs in Xinjiang.

TEMPLE-RASTON: In other words, the Chinese government allegedly weaponized the

vulnerability a hacker found at Tianfu in 24 hours to target an ethnic minority.

This shift by the Chinese has turned the whole ethos of threat hunting and bug bounties on
its head. It takes the idea of reporting bugs from being a way to help strengthen a product
to seeing it as a natural resource.

Vulnerabilities are like a commodity to the Chinese.

DEL ROSSO: Almost how you would treat timber or lumber or something like that.

TEMPLE-RASTON: This is Kristin Del Rosso again.

DEL ROSSO: If you look at the way that our entire world functions now, everything.
Everything is technology. Everything is a tech company. Everything is a data company. So if
you want to take intellectual property for your own national security or your own, um,
espionage methods, whatever it might be these are definitely items that I think are the new
means of success.

TEMPLE-RASTON: So why have your best and brightest go to hackathons and help your
adversaries? Why don’t you create a homegrown contest and then weaponize whatever they
find?

[MUSIC]

And obviously all the big cyber powers are doing some version of this. They buy
vulnerabilities all the time, and they use them to maximum advantage.

What they don’t do is this other thing China now does: require companies to give them up
for free.

Two years ago, Chinese leaders announced that anyone doing business in China would now
have to report any vulnerabilities they discover to the government within 48 hours of
finding them.

Though it was the second part of the law that raised the most eyebrows: Companies and
researchers aren’t allowed to tell anyone else about what they've discovered or even patch
the vulnerability until the Chinese government says it’s okay.

In a way, Dakota said, it was a brilliant stroke…

CARY: Instead of the Chinese government having to fund the research themselves and find
and purchase those vulnerabilities, they're doing that by putting these regulations in place.
They set themselves on top of that pipeline..
[MUSIC]

TEMPLE-RASTON: And they can pick and choose what gets reported to the world and
when…

No other vulnerability system works that way.

In the United States, company reporting of vulnerabilities is voluntary, and the government
doesn’t get first crack at using something only to tell the world later.

In China, now the assumption is that their military and intelligence hacking teams are
sitting on thousands of un-reported vulnerabilities, and they’re probably using them.

Dakota and Kristin estimate China is hiding roughly 18,000 bugs.

To test their theory, they took a deeper dive into one specific kind of vulnerability, one that
targets industrial control systems, or ICS – and the numbers they came up with were
sobering.

CARY: So we know that people in China and researchers in China are able to find ICS
industrial control system software vulnerabilities with regularity, with predictability, on the
order of at least 100 a year.

TEMPLE-RASTON: But in the past two years…

CARY: The public data shows that in between six and ten are being released every year.

TEMPLE-RASTON: From a hundred reported vulnerabilities a year… to just six.

Are Chinese hackers having trouble finding coding bugs all of a sudden?

Or is something else going on?

[MUSIC]

TEMPLE-RASTON: Dakota zeroed in on industrial control system software for a really good
reason.
They are the vulnerabilities everybody wants to find.

It isn’t an exaggeration to say that industrial control systems run the world. These are the
systems monitoring and controlling power plants, and manufacturing facilities, and even
water systems.

Break into an ICS in one of those, and you can hobble an entire city. Even an entire country.

And Rob Joyce, head of cybersecurity over at the National Security Agency, told me during a
session at the Aspen Cyber Summit in November that it is clear that China has groups
targeting our critical infrastructure control systems right now.

ROB JOYCE: You know, they're operating out of China. They're going to places that. They
have no legitimate intelligence value.They don't have any commercial espionage value. They
are there to pre-position on critical infrastructure to give advantage in times of crisis or
conflict.

TEMPLE-RASTON: In 2022, China is thought to have launched more zero-day attacks than
any other country on the planet.

Zero-days are vulnerabilities in big ubiquitous programs that no one has discovered yet.

Kristin said a graph of China’s use of zero-days in the past two years looks like a hockey
stick – up 20 percent since the reporting law went into effect.

And Microsoft recently released a report about this.

DEL ROSSO: They believe that this law directly impacted the use of zero days and exploits by
Chinese threat actors.

TEMPLE-RASTON: People are starting to worry that this approach might spread.

While China is the outlier when it comes to vulnerability reporting right now, it might not be
for long.

Just ask Katie Moussouris.

MOUSSOURIS: As soon as the Chinese made this move, everybody else would start looking
at it. “Well, wait a minute, how come they get to know things early? We should all know
things early, too.” And I absolutely think it is a dangerous place for us to go.

TEMPLE-RASTON: She’s the CEO of a bug bounty management firm called Luta Security.

Think of her as someone who helps organize vulnerability disclosure programs. She says
other governments are taking China’s lead.

MOUSSOURIS: And we're actually seeing that process unfold right now in Europe.

TEMPLE-RASTON: She’s referring to the EU’s “Cyber Resilience Act,” which was first drafted
in September 2022.

MOUSSOURIS: It would require any companies selling software in Europe to tell the
European Union within 24 hours of a previously unknown vulnerability.

TEMPLE-RASTON: Supporters of the E.U. law argue that its version is different from what
China has done.

The European law, for instance, doesn’t want proof of concept code.

In other words, companies would report the flaw – how someone might get access – but not
a roadmap on how to take advantage of it.

MOUSSOURIS: So they're saying, well, it's not that dangerous because we're not requiring
disclosure of technical details and ready made exploit code.

TEMPLE-RASTON: The problem is…

MOUSSOURIS: Once you say that a piece of software or a component is vulnerable,

attackers go to town and take a look at that component and then can, you know, further
exploit that so even the provision that is designed to keep that information sharing safer is
ill informed.

TEMPLE-RASTON: Katie says having governments insert themselves into the process of
collecting vulnerabilities is just asking for trouble.
MOUSSOURIS: Defenders are not winning the cyber wars right now. So we can use all the
help we can get, as opposed to having additional vulnerability information in the hands of
friendly or unfriendly governments, who might keep it a secret before it can get patched.
How does that make us any safer as an Internet? It doesn't.

TEMPLE-RASTON: On November 30, what Katie had feared became official.

The EU announced that it had reached an agreement on some new cyber rules. Companies
will now have to report vulnerabilities and cyber incidents to the EU within 24 hours of
discovering them.

And China… it appears to be going a step further too. According to draft regulations from
the country’s internet watchdog, internet operators may soon be required to report major
cybersecurity incidents to the Chinese authorities within an hour of them occurring or they
risk severe punishment.

This is Click Here.

—

TEMPLE-RASTON: Here are a couple of the top cyber and intelligence stories of the past
week:

Pharmaceutical giant Merck has reportedly reached a settlement with insurers who had
refused to cover losses linked to the NotPetya cyberattack of 2017.

The undisclosed settlement, first reported by Bloomberg Law, is the culmination of a

closely-watched court battle that holds huge implications for what constitute “acts of war”
in the cyber context.

NotPetya was a cyberattack that took advantage of a bug in Windows server software.
Initially, it took aim at Ukrainian accounting software before it spread around the globe.
Insurers denied a $700 million Merck claim because there was a clause in their insurance
policy that waived insurer responsibility for acts of war. Russian government hackers are
thought to be behind the initial attack.

In 2022, a New Jersey court ruled that the warfare exemption did not apply to the case — a
ruling that was upheld in appellate court last year. Insurers had appealed but according to
Bloomberg Law, they reached an “11th-hour” settlement before oral arguments began at
the New Jersey Supreme Court.

And finally, the government of Taiwan has said it will publicly release an analysis of China’s
attempts to interfere with last week’s elections on the island. Officials said they wanted to
share details so they could help fellow democracies prepare for malign influence
campaigns.

Voters in Taiwan went to the polls last Saturday to choose the country’s president and elect
members to its parliament. China considers Taiwan to be a renegade province and has
vowed to bring it back under mainland control, by force if necessary.
—

CREDITS

JADE ABDUL-MALIK: Click Here is a production of Recorded Future News

Dina Temple-Raston is the host and managing editor of the show…

Sean Powers, Will Javis and me, Jade Abdul-Malik produce it.

Karen Duffin and Lu Olkowski are our editors and Lucas Reilly is our staff writer.

Darren Ankrom does our fact checking.

Ben Levingston composed the theme music and other original music you heard.

We also use music from Blue Dot Sessions. Megan Goff is our staff illustrator.

That’s it for this week, we’ll be back on Tuesday.