How China built a one-of-a-kind cyber-espionage behemoth to last
The “most advanced piece of malware” that China-linked hackers have ever been known to use was revealed today. Dubbed Daxin, the stealthy back door was used in espionage operations against governments around the world for a decade before it was caught.
But the newly discovered malware is no one-off. It’s yet another sign that a decade-long quest to become a cyber superpower is paying off for China. While Beijing’s hackers were once known for simple smash-and-grab operations, the country is now among the best in the world thanks to a strategy of tightened control, big spending, and an infrastructure for feeding hacking tools to the government that is unlike anything else in the world.
This change has been going on for years, driven right from the very top. Soon after he ascended to power, President Xi Jinping began a reorganization of China’s military and intelligence agency, which prioritized cyberwarfare and initiated a “fusion” of military and civilian organizations geared toward boosting the nation’s cyber capabilities
To support MIT Technology Review’s journalism, please consider becoming a subscriber.
The results are new tools and tactics that have rapidly become more sophisticated and ambitious over the past decade. For example, Chinese government hackers have exploited more powerful zero-day vulnerabilities—previously undiscovered weaknesses in technology for which there is no known defense—than any other nation, according to congressional testimony from Kelli Vanderlee, an intelligence analyst at the cybersecurity firm Mandiant. Research shows that Beijing exploited six times as many such powerful vulnerabilities in 2021 as in 2020.
China’s offensive cyber capabilities “rival or exceed” those of the United States, said Winnona DeSombre, a research fellow at the Harvard Belfer Center, in congressional testimony on China’s cyber capabilities on February 17. “And its cyber defensive capabilities are able to detect many US operations—in some cases turning our own tools against us.”
Daxin is just the latest powerful tool linked to China over the past year. It works by hijacking legitimate connections to hide its communications in normal network traffic. The result provides stealth and, on highly secure networks where direct internet connectivity is impossible, allows hackers to communicate across infected computers. The researchers who discovered it, from the cybersecurity firm Symantec, compare it to advanced malware they’ve seen that’s been linked to Western intelligence operations. It’s been in use at least as recently as November 2021.
And in February of last year, a massive hacking spree against Microsoft Exchange servers by multiple Chinese groups, beginning with zero-day exploits known as ProxyLogon vulnerabilities, showcased Beijing’s ability to coordinate an offensive so large in scale it seemed chaotic and reckless to outside observers. The onslaught effectively left a door wide open on tens of thousands of vulnerable email servers for any hacker to step through.
A quieter campaign uncovered in May saw multiple Chinese hacking groups use another zero-day vulnerability to successfully hack military, government, and tech industry targets across the United States and Europe.
People at the highest levels of power in China appreciate the importance of cyber capabilities. The CEO of Qihoo 360, the country’s biggest cybersecurity company, famously criticized Chinese researchers doing work outside the country and implored them to “stay in China” to realize the “strategic value” of powerful software vulnerabilities used in cyber-espionage campaigns. Within months, his company was linked to a hacking campaign against the country’s Uyghur minority.
A wave of stricter regulations followed, tightening the government’s control of the cybersecurity sector and prioritizing the state’s security and intelligence agencies over all else—including the companies whose software is insecure.
“The Chinese have a unique system reflecting the party-state’s authoritarian model,” says Dakota Cary, an analyst at Georgetown’s Center for Security and Emerging Technology.
Chinese cyber researchers are effectively banned from attending international hacking events and competitions, tournaments they once dominated. A hacking contest pits some of the world’s best security researchers against one another in a race to find and exploit powerful vulnerabilities in the world’s most popular tech, like iPhones, Teslas, or even the kind of human-machine interfaces that help run modern factories. Prizes worth hundreds of thousands of dollars incentivize people to identify security flaws so that they can be fixed.
Now, however, if Chinese researchers want to go to international competitions, they require approval, which is rarely granted. And they must submit everything to government authorities beforehand—including any knowledge of software vulnerabilities they might be planning to exploit. No one other country exerts such tight control over such a vast and talented class of security researchers.
This mandate was expanded with regulation requiring all software security vulnerabilities to be reported to the government first, giving Chinese officials unparalleled early knowledge that can be used for defensive or offensive hacking operations.
“All of the vulnerability research goes through an equities process where the Chinese government gets right of first refusal,” says Adam Meyers, senior vice president of intelligence at the cybersecurity company CrowdStrike. “They get to choose what they’ll do with this, really increasing the visibility they have into the research being conducted and their ability to find utility in all of it.”
We’ve seen one exception to this rule: an employee of the Chinese cloud computing giant Alibaba reported the famous Log4j vulnerability to developers at Apache instead of first delivering it to Chinese government authorities. The result was a public punishment of Alibaba and implicit warning for anyone else thinking of making a similar move.
China’s stricter policies have an impact well outside the country itself.
Over the last decade, the “bug bounty” model has provided millions of dollars to build a global ecosystem of researchers who find software security vulnerabilities and are paid to report them. Multiple American companies host marketplaces where any tech firm can put its own products up for close examination in exchange for bounties to the researchers.
By any measurement, China ranks at or near the top in alerting American firms to vulnerabilities in their software. In his congressional testimony last week, Cary said an unnamed large American firm had disclosed to him that Chinese researchers received $4 million in 2021. The American companies benefit from the participation of these Chinese researchers. When the researchers report a bug, the companies can fix it. That’s been the status quo since the bounty programs began booming in popularity a decade ago.
However, as the Chinese government tightens control, this multimillion-dollar ecosystem is now delivering a steady stream of software vulnerabilities to Chinese authorities—effectively funded by the companies and at no cost to Beijing.
“China’s policy that researchers must submit vulnerabilities to the Ministry of Industry and Information Technology creates an incredibly valuable pipeline of software capabilities for the state,” says Cary. “The policy effectively bought at least $4 million worth of research for free.”
Robot Hacking Games
In 2016, a powerful machine called Mayhem won the Cyber Grand Challenge, a cybersecurity competition held by the US Defense Advanced Research Projects Agency.
Mayhem, which belongs to a Pittsburgh company called ForAllSecure, won by automatically detecting, patching, and exploiting software security vulnerabilities. The Pentagon is now using the technology in all military branches. Both the defensive and offensive possibilities were immediately obvious to everyone watching—including Chinese officials.
DARPA hasn’t run a similar program since 2016. China, on the other hand, has put on at least seven “Robot Hacking Games” competitions since 2017, according to Cary’s research. Chinese academic, military, and private-sector teams have all been drawn to competitions overseen by the Chinese military. Official documents tie automated discovery of software vulnerabilities directly to China’s national goals.
As the Robot Hacking Games were beginning, the CEO of Qihoo 360 said automated vulnerability discovery tools were an “assassin’s mace” for China.
“Whoever masters the automatic vulnerability mining technology will have the first opportunity to attack and defend the network,” he said. Claiming that his own company had developed “a fully autonomous automatic vulnerability mining system,” he argued that the technology is the “‘killer’ of network security.”
The Robot Hacking Games are one example of the way Chinese officials at the highest level have been able to see an American success and then smartly make it their own.
“Time and again, China has studied the US system, copied its best attributes, and in many cases expanded the scope and reach,” says Cary.
As the US-China rivalry continues to function as the defining geopolitical relationship of the 21st century, cyber will play an outsize role in what China’s leaders rightfully call a “new era.” It touches everything from commercial competition to technological advancement and even warfare.
In that new era, Xi’s stated goal is to make China a “cyber superpower.” By any measure, he’s done it.