Did a Chinese University Hacking Competition Target a Real Victim?

Seize the flag hacking contests at safety conferences usually serve two functions: to assist individuals develop and display pc hacking and safety expertise, and to help employers and authorities companies with discovering and recruiting new expertise.

However one safety convention in China might have taken its contest a step additional—doubtlessly utilizing it as a secret espionage operation to get individuals to gather intelligence from an unknown goal.

In response to two Western researchers who translated documentation for China’s Zhujian Cup, also called the Nationwide Collegiate Cybersecurity Assault and Protection Competitors, one a part of the three-part competitors, held final yr for the primary time, had a variety of uncommon traits that counsel its doubtlessly secretive and unorthodox goal.

Seize the flag (CTF) and different kinds of hacking competitions are usually hosted on closed networks or “cyber ranges”—devoted infrastructure arrange for the competition in order that individuals don’t threat disrupting actual networks. These ranges present a simulated atmosphere that mimics real-world configurations, and individuals are tasked with discovering vulnerabilities within the methods, acquiring entry to particular elements of the community, or capturing knowledge.

There are two main corporations in China that arrange cyber ranges for competitions. Nearly all of the competitions give a shout out to the corporate that designed their vary. Notably, Zhujian Cup didn’t point out any cyber vary or cyber vary supplier in its documentation, leaving the researchers to surprise if it is because the competition was held in an actual atmosphere somewhat than a simulated one.

The competitors additionally required college students to signal a doc agreeing to a number of uncommon phrases. They had been prohibited from discussing the character of the duties they had been requested to do within the competitors with anybody; they needed to agree to not destroy or disrupt the focused system; and on the finish of the competitors, they needed to delete any backdoors they planted on the system and any knowledge they acquired from it. And in contrast to different competitions in China the researchers examined, individuals on this portion of the Zhujian Cup had been prohibited from publishing social media posts revealing the character of the competitors or the duties they carried out as a part of it.

Individuals additionally had been prohibited from copying any knowledge, paperwork, or printed supplies that had been a part of the competitors; disclosing details about vulnerabilities they discovered; or exploiting these vulnerabilities for private functions. If a leak of any of this knowledge or materials occurred and brought about hurt to the competition organizers or to China, based on the pledge that individuals signed, they may very well be held legally accountable.

“I promise that if any info disclosure incident (or case) happens resulting from private causes, inflicting loss or hurt to the organizer and the nation, I, as a person, will bear obligation in accordance with the related legal guidelines and laws,” the pledge states.

The competition was hosted final December by Northwestern Polytechnical University, a science and engineering college in Xi’an, Shaanxi, that’s affiliated with China’s Ministry of Trade and Data Expertise and likewise holds a top-secret clearance to conduct work for the Chinese language authorities and navy. The college is overseen by China’s Individuals’s Liberation Military.

Sensi Tech Hub
Logo