Nov 21, 2022
For those faithful few who follow my posts here regularly, you’re aware that much of my recent writing has explored cybersecurity in the context of national security. I’ve looked at how several countries are developing their national cyber defenses, and how some other countries are going on the offensive, using cyber attacks to achieve geopolitical ends. I think the evolution of international relations and realpolitik into the digital realm is a fascinating subject that will alter some of our fundamental expectations about how power operates across the globe. And we’re just seeing the start. I don’t mean to sound excited – there’s plenty to be terrified about – but I’m certainly riveted, and I hope others are too.
Given my recent writing, a report from several weeks back immediately caught my attention. In Microsoft’s 2022 Digital Defense Report, China is accused of essentially stockpiling cyber vulnerabilities for potential use in future cyber attacks. Countries used to hoard bombs and bullets. Now they’re doing the same things with accelerants for cyber attacks. It’s an alarming development that, to my genuine chagrin, aligns exactly with what I’ve been harping on of late. Let’s take a closer look.
Turning Weaknesses Into Weapons
Most developed nations, the US included, have formal channels in place to report cyber vulnerabilities. China took that one step further through a series of laws passed in 2021. Those laws made it mandatory for network operators and hardware/software makers to report any vulnerability discovered to local officials. That wouldn’t seem all that unusual in a centrally controlled, risk-averse country like China. But the laws made an unusual stipulation: report vulnerabilities to local officials but not anyone else. Officials would have to give permission before the vulnerability was disclosed to the developer or the public at large.
Officials explained this stipulation as a way to strengthen China’s cyber defenses – they could use the vulnerabilities to harden themselves against attacks before someone had a chance to exploit them. But it did not take a military mind to see an alternate and opposite scenario as just as likely: China was using turning these vulnerabilities into cyber attacks before anyone else knew they were exposed.
The more cynical interpretation is given credence by the fact that hackers based in or supported by the Chinese government have proven especially proficient at exploiting zero day (unknown) vulnerabilities, especially in just the last six months according to Microsoft. One can easily guess why: the Chinese government is feeding them intelligence.
I would encourage anyone interested in the technical specs to reference the report, which explains the particular vulnerabilities that have been exploited by China-affiliated hackers. Also interesting are some of the targets of these attacks, including energy, telecommunications, and government systems throughout Southeast Asia. If the reports are true, China clearly sees cyber attacks based on undisclosed vulnerabilities as both potent tools in their digital arsenal and a way to exert their influence throughout the region (and beyond.)
A Different Kind of Arms Race
I should probably stress here that I don’t think what China is alleged to be doing is all that surprising. Like so many aspects of cybercrime and digital disruption, what we see isn’t something totally new and novel but rather a futuristic spin on long-running forms of crime and conflict. For all of history, groups have been searching for their enemy's weak points and keeping quiet when they find something. We used to look for cracks in the fortress walls, now we look for misconfigurations in the cloud. It makes sense that China would incorporate this technique into its cyber strategy.
Which leads me to believe they’re not the only ones doing it. Other countries may not have laws on the books requiring people to report vulnerabilities. That said, they almost certainly have ways to discover and leverage vulnerabilities early and quietly. It would be glaring a oversight not to.
Predictable as all of this may be, I think the long-term consequences are much harder to surmise. Just one example: what will happen with zero day attacks once countries are racing to both find vulnerabilities and keep them out of public knowledge? There’s been an admirable and to some extent effective push to see zero days as a collective problem that we must address through transparency and information sharing – but seeing vulnerabilities as valuable weapons of war would seem to undermine that effort. Then what?
We won’t have to wait long for the answer, I suspect. The cyber saber-rattling has been ramping up for years now. And with the conflict in Ukraine making this a record-setting year for cyber attacks sponsored by nation-states...the gloves are coming off.
China is alleged to be stockpiling vulnerabilities to weaponize into cyber attacks. Now that the cyber arms race has kicked into high gear, it's only a matter of time before match reaches powder.
Microsoft Windows Contacts (VCF/Contact/LDAP) syslink control href attribute escape vulnerability (CVE-2022-44666) (0day)j00sean (https://twitter.com/j00sean) July 11, 2023
CVE-2021-38294: Apache Storm Nimbus Command InjectionZeyad Abdelazim June 20, 2023
CVE-2023-21931 & CVE-2023-21839 RCE via post-deserializationMohammad Hussam Alzeyyat June 19, 2023
Have you missed them? The new reports feature is here!Noa Machter May 14, 2023
CVE-2021-45456 Apache Kylin RCE ExploitMohammad Hussam Alzeyyat April 30, 2023