It would appear that Chinese Intelligence Agencies are altering the Chinese National Vulnerabilities Database (CNNVD) in an attempt to hide security flaws that government hackers might have an interest in. This is the conclusion made by Recorder Future, a US-based security firm, in a recently published report. Recorded Future has developed a reputation for tracking and revealing Chinese state-sponsored cyber spying. According to the latest report published by the firm, the firm noticed in recent months mass edits to the CNNVD website. This would imply that CNNVD operators have been backdating the publication dates for hundreds of vulnerabilities.
In November 2017, Recorded Future published a report examining the publication speed of the CNNVD. The report concluded that China had a process for evaluating whether high-threat vulnerabilities had operational utility in intelligence operations before publishing them to the publicly accessible CNNVD webpage. The firm wished to revisit the analysis in an attempt to further confirm their allegations only to find that CNNVD had altered their initial vulnerability publication dates. It is assumed this was done to cover up any evidence of wrongdoing.
The report released in November 2017, made further discoveries which can be seen as interpreted as damning. It was discovered that the CNNVD is essentially a shell for the Ministry of State Security (MSS). While the CNNVD has a website it appears to be separate from the MSS in name only. The MSS is not just a foreign intelligence service, it also has a domestic intelligence mandate. This would mean that the MSS would have a direct need in manipulating vulnerability data if they had operational utility. It was also revealed in the same report that CNNVD was housed in the same building as China’s MSS, making any other argument that is contrary to MSS being at the helm of the CNNVD seem illogical.
In order to prove the conclusions made in the most recent report Recorded Future has been taking snapshots of the CNNVD website in the past year. By doing this they have found that backdating edits have been made to at least 267 critical vulnerabilities. The report details two telling examples. Those being the publication data of CVE-2016-10136, a vulnerability in the Adups firmware included with many smartphones has been backdated 235 days, while the Office CVE-2017-0199 vulnerability has been backdated 57 days.
Possible Main Reason behind Backdating
The security researchers at Recorded Future argue that the main reason behind the backdating and delay in vulnerability disclosures were potentially done to hide security flaws from local companies who rely on the database for daily security patching. This would indeed aid the MSS in internal surveillance operations. Almost as a side effect from the backdating foreign cyber intelligence agencies will have a harder time in spotting the critical flaws that MSS and its hackers are evaluating and pondering for their cyber arsenal. In a practical sense, this will make preparing countermeasures much harder for foreign states.
Another telling seemingly unrelated piece of potential evidence can be found in the Chinese government has taken steps to bar its country’s security researchers from sharing their knowledge at some foreign cybersecurity events, especially those organized in Western countries. Most recently Chinese security researchers have been banned from attending a popular hacking competition that’s taking place in March in Vancouver, Canada, titled “Pwn2Own.” It is hoped that this general banning will further help intelligence officials in keeping undisclosed and backdated vulnerabilities under wraps.
In a series of articles published in May 2017, an anonymous group known as Intrusion Truth revealed evidence that links an intelligence contractor working with the Chinese government to cyber-attacks that have been carried out by a cyber-espionage group known in the infosec community as APT3. Taking the articles published by an anonymous group as fact can be problematic, however, the evidence detailed in the articles has been confirmed by Recorded Future. The details revealed by Intrusion Truth are further ratified by a Pentagon report issued in 2016, the report detailed the findings of the Pentagon's Joint Staff J-2 intelligence directorate concerning the Chinese cyber espionage operations.
These articles revealed that Wu Yingzhuo and Dong Hao, shareholders at Boyusec, a Guangzhou Boyu Information Technology Company, registered multiple domains that formed part of infrastructure used by APT3 to conduct attacks. The group is also known as UPS, Gothic Panda, and TG-011 has been active since 2010. Central to the group’s activities was the theft of intellectual property from private businesses. The group has also been tied to cyber-espionage operations with substantial political implications. The Pentagon report of 2016 also came to the conclusion that Boyusec was tied in some form or another to the Chinese government.
In 2015 the US and China agreed to limit hacking between the two countries only to cyber-espionage operations, safeguarding private businesses. This resulted in APT3 shifting more focus to mainly targeting activists supporting Hong Kong's political independence from China and other political dissidents critical of the Chinese government.
This shift in policy, namely the banning of security researchers from attending foreign conferences, and the backdating of vulnerabilities, could well benefit APT3 and their internal espionage operations. This would most certainly benefit the group as well as other assets deployed by the MSS in the task of domestic intelligence gathering. It would appear that the evolution of APT3 is emblematic of how the MSS conducts operations in both the human and cyber domains. A shift in APT3’s focus symbolizes a shift in MSS doctrine and policy. Unraveling such a web is no easy task as the MSS is composed of national, provincial, and local elements. At every level these elements include organizations with valid public missions to act as a cover for MSS intelligence operations. While it can be safely assumed that their operations almost certainly involve cyber espionage they are also closely tied to the Communist Party’s Five Year Plans and involve diverse operations such as including green energy, defense-related science and technology, biomedical, and aerospace.