How China Is Building a Powerful Army of Hackers
16:51 Share

This is an iHeart Podcast.

By uniting science, technology, and talent, we work tirelessly to get ahead of disease together. Visit gsk.com to discover more.

How can you free your team from time-consuming office tasks? Amazon Business empowers leaders to not only streamline purchasing, but better support their teams. Smart business buying tools enable buyers to find and purchase items fast so they can focus on strategy and growth. It's time to free up your teams and focus on your future. Learn more about the technology, insights, and support available at AmazonBusiness.com.

In business, plans change fast and your brand has to keep up. That's why teams rely on 4imprint for promotional products that deliver. 4imprint offers thousands of options including apparel, drinkware, tech, and trade show gear. Many available with 24-hour turnaround, helping you move quickly and never compromise in quality. You'll enjoy free samples, expert support, and every order backed by their 360-degree guarantee. So it arrives right and on time. Explore more at 4imprint.com. 4imprint.

Okay, let's get started. Are you ready? Yes, sir. Let's kick it off in 5, 4, 3, 2, 1. Good luck, guys.

As President Trump was preparing to take office earlier this year, and the battle for cyber dominance between China and the U.S. was looming large, in Tokyo, one of the most prestigious global hacking competitions was underway. They're on the clock and actually attempting to exploit the bug now. Called Pwn2Own, the competition has attracted some of the world's best hackers, or as the industry likes to call them, researchers.

A hacking competition looks exactly like what you see in the movies: a group of people crowded around a computer, all staring intently at the screen as the main hacker types commands furiously on a keyboard. The aim of these hacking tournaments is to find weaknesses or holes in software in real-world devices so that companies can fix them before they're exploited by criminals. For example, researchers would be looking for flaws and bugs, say, in Google Chrome or the Apple Watch.

Teams that find the vulnerabilities successfully win a cash prize and share with the tech companies how they hacked into the systems. At the Poe-to-Own tournament in January, the competition was sponsored by Tesla, and teams had to discover weaknesses in its wall charger. I think that's a success.

The best hacking team is crowned the Master of Pwn. It's a title that the competition organizers began bestowing on the best hackers in 2016. That first year, a China-affiliated team won. In 2017, Chinese hackers were Master of Pwn again. But the year after that, 2018, there were no Chinese hackers at Pwn2Own.

In fact, since then, there have been barely any hackers from mainland China at any international hackathon anywhere in the world. In 2018, Chinese researchers no longer traveled to compete in international hacking competitions. Anyone who wanted to do so had to get special permission from the Chinese government. That's Bloomberg reporter Jamie Tarabay, who covers national security in Washington, D.C.

Because they did not want these folks to go overseas and compete, they created domestic hacking competitions to ensure that those vulnerabilities continue to be discovered but remained within China. The travel and competition restrictions placed on Chinese hackers were all about building what Jimmy calls a cyber army.

China really began in earnest to invest in the cyber sort of population in its country. It invested in the tech, it invested in the talent, and it became a very concerted focus for the regime. Because in the wars to come, the cyber army in China is going to be a very significant part of its arsenal.

It's a formidable arsenal that China could deploy as tensions between Washington and Beijing continue to ratchet up on everything from trade to rare earths to national security. It could be something that the Chinese government could leverage. Everyone knows that they have this capability to play with the water supply in America. Would they do that now because of the tariffs?

This is The Big Tech Asia from Bloomberg News. I'm Wan Ha. Every week, we take you inside some of the world's biggest and most powerful economies and the markets, tycoons, and businesses that drive this ever-shifting region. Today on the show, China's hacker army. How are Chinese hacking competitions powering its growing network of cyber soldiers? And what's at stake for the U.S. and the rest of the world if their knowledge stays inside China? ♪

It took Chinese hackers a while to get involved in international hacking competitions like Pwn2Own. But once they did, Chinese teams from universities and tech companies quickly became a force to be reckoned with.

The Chinese committed in a way that other teams did not. When a Western team would come and enter a Pwn2Own or one of these hacking competitions, their teams were maybe three to five, five to seven at best. The Chinese were sending 20 to 30 people on each team.

And they were having people spend an entire year, like months and months and months, researching all the different contests, all the different challenges. It became a real contest of we're going to show everyone how good we are. And that's exactly what they did. For a short time, teams from China dominated. But their achievements abroad soon drew the attention of critical eyes back home.

In 2017, the founder of Chinese cybersecurity firm Qihoo360, Zhou Hongyi, publicly criticized Chinese participation in international hackathons. The billionaire founder came out and said,

I don't think that our people should be going and competing in these international contests and everyone getting to see the vulnerabilities that they discover. We should not be sharing these treasures with the rest of the world. These should be staying in China for us to use and for only us to have that knowledge.

From 2018 on, Chinese teams were effectively forbidden from participating in any international hackathons. That same year, China launched its own hacking tournament called the Tianfu Cup. The prizes totaled a million dollars, almost double the prize money awarded in Pwn2Own that year. During the Tianfu Cup, participants, mostly Chinese teams, hacked into Apple operating systems, Google phones, and Microsoft networks.

What was different about the Tianfu Cup was what participants did after those exploits were discovered. Usually in international hackathons, the bugs are disclosed to the companies that make the software or devices so that they can patch them before criminal hackers exploit them. But in China, contestants are required to report the vulnerabilities to the government first.

The Western slash international contests are a place where a lot of people from many different countries, they're competing, they're sharing, they're learning and reporting their findings in a much more open way and engaging.

You contrast that with what's happening in China. A lot of the times we don't know what vulnerabilities they're investigating. We don't know what the results are. We don't know if the vendor has been notified. And in 2021, the Chinese government went a step further.

A vulnerability disclosure regulation that came into effect required anyone, whether you're a researcher at a tech company or if you discover a flaw during a competition, to report the findings to the government within 48 hours. Anyone who doesn't comply could be punished and fined.

Outside of China, governments don't force hackers or companies to disclose vulnerabilities. But they also don't publicly share any software flaws that their intelligence agencies have discovered either. It's a practice called vulnerability hoarding. And experts say organizations like the U.S. National Security Agency don't reveal their vulnerabilities because it uses them to spy on other countries and attack their systems.

For the longest time, cybersecurity experts weren't really sure how the Chinese government was using intel about security flaws until an alleged data leak in February last year.

Hundreds of internal files from the Shanghai-based cybersecurity company iSUN, which works with Chinese government clients, were posted on an online platform called GitHub.

Chat logs and presentations, which industry experts believed to be authentic, appeared to reveal successful attacks in 2021 and 2022. There was a range of targets, from the UK Foreign Office to the Royal Thai Army, and even NATO Secretary General Jens Stoltenberg. What was also revealing in these files was the link between the Chinese hacking competitions and these state-sponsored cyberattacks.

We saw chats about vulnerability sharing. The people who were on these chats talking about infiltrating a mail server, trying to get into a system with a vulnerability. We saw people saying, hey, when am I going to get that vulnerability from Tianfu Cup? And the response was, well, it's gone to the Ministry of Public Security. Or we've seen the Ministry of Public Security has an exploit. It's not fully formed, but see how you go. Try it out.

So it really kind of revealed a through line. In March, several employees of iSoon were charged by U.S. authorities for carrying out cyberattacks at the behest of Chinese intelligence agencies. China denies the allegations. iSoon hasn't responded to the charges and didn't respond to requests for comment.

With tensions rising between the two superpowers, what are the risks that China's growing hacker army poses to the U.S. and the rest of the world? And can governments do anything about it? That's after the break.

In business, they say you can have better, cheaper, or faster, but you only get to pick two. What if you could have all three at the same time? That's exactly what Cohere, Thomson Reuters, and Specialized Bikes have since they upgraded to the next generation of the cloud: Oracle Cloud Infrastructure. OCI is the blazing fast platform for your infrastructure, database, application development, and AI needs.

where you can run any workload in a high availability, consistently high performance environment, and spend less than you would with other clouds. How is it faster? OCI's block storage gives you more operations per second. Cheaper? OCI costs up to 50% less for computing, 70% less for storage, and 80% less for networking.

Better? In test after test, OCI customers report lower latency and higher bandwidth versus other clouds. This is the cloud built for AI and all your biggest workloads. Right now with zero commitment, try OCI for free. Head to oracle.com slash strategic. That's oracle.com slash strategic.

In today's changing job market, finding and retaining top talent is more challenging than ever. But with Express Employment Professionals, you can streamline your hiring process and save both time and money. Did you know that 92% of U.S. hiring decision makers expect to face challenges finding qualified candidates this year?

The costs of recruiting, advertising, interviewing, and onboarding can add up quickly. But Express has the solution. Go to ExpressPros.com today. Ready to hire differently? Whether you need contract workers or your next core team member,

Contact Express Employment Professionals. Express leverages advanced technology and a streamlined hiring process to reduce your recruitment costs. From efficient job postings to customized candidate screening, Express makes hiring easier and more cost-effective. With more than 870 offices, you have a local team ready to help manage your workforce. Go to expresspros.com to find a location near you.

Hey, good drivers. Yeah, we're talking to you. The ones who don't speed, the ones who avoid those fender benders, and who always use their turn signal. Congratulations, you're a better driver, and that means you could get better rates with Route Insurance. It's time to stop paying for other people's bad driving habits. You know, like the ones who cut you off just to slam on their brakes. Woo!

or the lead foot speeding to work every day. With Root Insurance, you'll get a quote based primarily on your driving. Just download the Root app, drive around like you normally would for a couple of weeks, and boom, you'll get a quote that actually makes sense. It's that easy. Root. Because better drivers deserve better rates. Download the Root app today and see how much you could save. That's Root Insurance. Terms and conditions apply. Subject to underwriting review. See Root.com for details.

Identifying vulnerabilities in your phone or laptop isn't just important for improving user experience and keeping your data safe. Bloomberg's Jamie Tarabate says they are an important tool for governments to use on the world stage, especially as tensions grow between the U.S. and China, and as China seeks to wield more power and influence abroad.

It's a really important weapon for any government to have. You have the power to go into a device and no one else knows about it, maybe for months, so you can sit on it.

and use it at your will. Who do you want to target? Do you want to target your domestic population? Do you want to target dissidents? The Chinese have recognized that it is a very useful tool and they're spending a lot of money. They're investing a lot of time and talent and they're growing their technology at a pace that the rest of the world is struggling to match.

And it's not just about stealing data and corporate espionage. Hacking campaigns can target operational technology that controls critical infrastructure. Think power grids and water supply systems. One hacking campaign the U.S. is especially concerned about is called Volt Typhoon. U.S. intelligence agencies accused Chinese state hackers of compromising critical infrastructure on Guam, where the U.S. has a military base.

The Vol typhoon campaign is basically the discovery of Chinese state-sponsored actors hiding in critical infrastructure.

just lurking and waiting for the right moment to flick a switch, to disrupt, to cause chaos or confusion, or to delay responses to possible military action that China might decide to embark on. So that's what the cyber army looks like to the Chinese leadership today.

It is a tool to be used in the event of military action. It is also a tool to be used in intelligence gathering, as they did when they hacked the emails of many of the State Department officials, as well as the most recent campaign, where they hacked into the phones of the Trump campaign.

China has repeatedly denied any accusations of malicious hacking and have also long accused the U.S. and other countries of cyber espionage. This is all about who's the better spy. There's always been this idea that we're going to spy on you, you're going to spy on us.

But we don't know what the U.S. is doing. We don't know what the French are doing. We don't know what the Australians are doing. We don't know what the British are doing. But that's the game. And as we hear more about these cyber attacks, is there anything the U.S. or other governments can do at this point? With the latest administration, we're starting to hear a lot more strident voices about hacking back.

On the Hill, the head of the House Homeland Security Committee, Dr. Mark Green, wants to hack back, wants to get private companies to carry out hacking, offensive cyber campaigns. The thing is, we don't know if they're not already doing that. You know, we don't know what the NSA is doing. For the longest time, it was called no such agency because they never wanted to admit that they even existed, let alone tell everyone what they were doing.

And Jamie says part of the reason why these calls for offensive cyber campaigns are rising is because of the difficulties in holding people accountable for these cyber attacks.

This is the same thing that happens with Russian criminal hackers. They all get indicted and they remain where they are. They stay in Russia or China or they travel to countries where they won't get extradited and they face no consequences. One of the things with the Iceland leaks was these people aren't really paid a lot and they're sort of at the bottom of the ladder, so...

They're doing someone else's bidding. So even if they were targeted, it doesn't change the apparatus. It doesn't change the fact that this is a policy in the government or within this agency to carry out this kind of behavior. So what I'm hearing then is you're saying China's basically going to continue to keep doing what it's doing and there's no one that can stop them?

There are sanctions. We see export controls coming in. We see sanctions against individuals. We see sanctions against goods, right? We start to see Chinese products or companies getting banned from the US. We see people in the US being banned from trading or investing in Chinese companies. But short of being able to bring some of these people in,

It doesn't really happen because attribution is always so hard. You know, you can say I have all of the elements that match this Chinese actor, but you're never going to know definitively. We live in a world now where AI is rapidly advancing. A lot of these cyber attacks can be automated in the future. The more we rely on tech,

The more exposure we have, the more opportunities for all kinds of hackers to infiltrate, encrypt, sabotage, hold you to ransom, disrupt, do all the things. So there are going to be more opportunities, not less.

This is The Big Take Asia from Bloomberg News. I'm Wanha. To get more from The Big Take and unlimited access to all of Bloomberg.com, subscribe today at Bloomberg.com slash podcast offer. If you like this episode, make sure to subscribe and review The Big Take Asia wherever you listen to podcasts. It really helps people find the show. Thanks for listening. See you next time.

Switch to Verizon Business and get more from your internet without paying more for your internet. Get LTE Business Internet starting at $39 a month when paired with select business mobile plans. That's unlimited data and with it, unlimited possibilities. Start saving today with Verizon Business, ranked number one in small business internet customer satisfaction by J.D. Power.

Starting price for 25 megabits per second LTE internet plan with smartphone plan savings, plus taxes, fees, and economic adjustment charge. Terms apply. For J.D. Power 2024 award information, visit jdpower.com slash awards. Every business starts with an idea. How can you go from daydreamer to industry leader? Amazon Business accelerates your journey.

With smart business buying, get everything you need to grow in one familiar place, from office supplies to IT essentials and maintenance tools. Amazon Business takes the buying experience you know and love from Amazon, plus tools that help you save costs and make insights-based decisions. Ready to bring your visions to life? Learn how at AmazonBusiness.com.

At GSK, we believe that to get ahead of disease, you need to understand its root cause. And that's why we combine our deep understanding of immune science with cutting-edge technology. It helps us to create targeted therapies that match the right treatment to the right patient, transforming the lives of millions. By uniting science, technology, and talent, we work tirelessly to get ahead of disease together.

Visit gsk.com to discover more. This is an iHeart Podcast.