From World Champions to State Assets: The Outsized Impact of a Few Chinese Hackers
“China already has a bigger hacking program than every other major nation combined.” So warned FBI Director Chris Wray last year. He continued: “If each one of the FBI’s cyber agents and intelligence analysts focused on China exclusively, Chinese hackers would still outnumber our cyber personnel by at least 50 to 1.”
But this rather striking statement of the scale of the challenge obscures one of China’s key characteristics when it comes to offensive cyber operations. As I discuss in a recent report for the Center for Security Studies at ETH Zurich, within its vast cyber-espionage ecosystem, China relies on a relatively small pool of elite civilian hackers to uncover critical American weaknesses. These weaknesses, generally referred to as vulnerabilities, enable hackers to secretly access targeted software and hardware systems, often without detection, for espionage or offensive purposes. Some vulnerabilities, known as “zero-days,” are particularly dangerous because they are newly discovered and have no known patch or fix available. This makes them highly attractive for malicious actors seeking to exploit them before defenses can be put in place.
China’s elite vulnerability researchers have gained global recognition through their participation in prestigious hacking competitions and bug bounty programs, primarily targeting Western products. These initiatives offer financial rewards for discovering and responsibly reporting zero-days to vendors for remediation. Within China’s offensive cyber ecosystem, these elite researchers form one of two main hacker groups. The second group consists of government-contracted hackers who operate behind the scenes, steering clear of high-profile public competitions and bug bounty programs. In this ecosystem, elite researchers identify zero-days, which are gathered by government security agencies and disseminated to contracted hackers, who then conduct cyber operations against foreign targets.
This setup allows China to effectively harness the expertise of top researchers while keeping them insulated from direct state-sponsored activities. This approach has proved highly effective: Chinese state actors have exploited more zero-days in absolute numbers than any other country, as revealed by Google Mandiant’s 2023 analysis. The most targeted products: those of Microsoft, Google, and Apple.
With the cyber intelligence-civilian divide blurred, I have analyzed publicly available data from submissions made by China’s civilian hackers to the bug bounty programs of Apple, Android (Google), and Microsoft to identify the primary actors targeting these critical products. Through my analysis, a pattern emerges: A small cadre of Chinese researchers stands out as major contributors, and even minor shifts within hacking communities can lead to disproportionately large effects within China’s cyber ecosystem. Crucially, these researchers are affiliated with companies that channel the highest number of vulnerabilities to China’s premier intelligence agency, the Ministry of State Security.
China’s Elite Hackers
Since the early 2010s, Chinese hackers have risen to the very top of Pwn2Own, an annual hacking contest held in Vancouver, Canada, often considered the “World Cup” of hackers. Participants have to find zero-days in fully updated — mostly Western — software and hardware products and systems, in exchange for substantial cash prizes. Between 2014 and 2017, the prize pool ranged from $460,000 to $850,000. In 2014, a single Chinese team claimed 13 percent of the total prize money. In 2017, multiple teams from Chinese tech giants Qihoo 360 and Tencent collectively claimed nearly 80 percent of the prize pool. This international success was short-lived. By 2018, the Chinese government had barred vulnerability researchers from competing in international hacking events such as Pwn2Own. As a result, a domestic counterpart, the Tianfu Cup, was inaugurated in Chengdu in November 2018. Scholar J. D. Work observed that, in Chengdu, “the Chinese teams continued to demonstrate their continued ability to hold key Western systems and networks at risk.” In 2022, threat analyst Winnona DeSombre detailed how, during the 2021 Tianfu Cup, participants demonstrated 30 successful exploits in critical U.S. software products — 40 percent more compared to Pwn2Own’s exploits showcased that same year.
Annual hacking contests offer valuable insights into the capabilities and research priorities of participants, but they provide limited data for assessing their long-term focus and impact. To delve deeper into this, I analyzed the submissions of Chinese teams to the bug bounty programs of Apple, Android (Google), and Microsoft. Bug bounty programs, like hacking competitions, reward individuals for identifying and reporting software and hardware vulnerabilities. However, unlike hacking competitions, they are online crowdsourcing initiatives. Researchers submit detailed reports to help companies replicate and address these issues promptly, facilitating the development of patches. Between 2017 and 2023, Chinese researchers contributed 27 percent of all vulnerabilities reported to Apple, Android (Google), and Microsoft globally.
Between 2017 and 2020, the lion’s share of submissions to each of the three platforms came from teams associated with a single cyber security powerhouse, Qihoo 360, followed by Tencent. Collectively, the Qihoo 360 teams reported almost 70 percent of all the vulnerabilities reported by Chinese researchers to Android (Google), 60 percent to Microsoft, and 31 percent to Apple. While Qihoo 360 boasts no fewer than 19 research teams of varying size and expertise, only a handful truly stood out for their bug bounty contributions. These include 360 Vulcan, 360 SRC, and 360 Nirvan. Between 2021 and 2023, the landscape shifted as other entities rose to prominence. Research teams affiliated with Cyber Kunlun, OPPO, and Ant Group surpassed Qihoo 360 and Tencent as top contributors to Microsoft, Android (Google), and Apple respectively.
Within these teams and companies, a handful of researchers have emerged as significant bug bounty contributors. Among them, Yuki Chen and Zinuo Han have set exceptionally high standards. As 360 Vulcan team’s core member, Chen has led the team through their success at Pwn2Own from 2015 to 2017, where they exploited critical vulnerabilities in Internet Explorer, Google Chrome, and Adobe Flash. After Chinese researchers were barred from attending international hacking competitions in 2018, 360 Vulcan developed a strong focus on vulnerability research within Microsoft products. By 2020, the team had become by far the largest Chinese bug bounty contributor to Microsoft. Chen accounted for nearly 70 percent of the team’s submissions. In 2020, Chen left Qihoo along with other 360 Vulcan members to establish their own cyber security venture, Cyber Kunlun. It’s unsurprising that, following Chen’s departure, submissions from Qihoo 360 to Microsoft dropped dramatically, coinciding with a steady rise from Cyber Kunlun. Today, Cyber Kunlun stands as the top Chinese team contributing to Microsoft’s bug bounty program. It was responsible for over 40 percent of Chinese submissions to Microsoft between 2021 and 2023, with Chen accounting for over 60 percent of the total. For the past three years, his submissions have consistently placed him first in Microsoft’s global ranking of “Most Valuable Security Researchers.“
Chinese submissions to Android (Google) between 2017 and 2020 were led by the 360 SRC team, with nearly all submissions originating from two researchers: Zinuo Han and Chong Wang. Han accounted for over 50 percent of the duo’s contributions. In addition to his numerous submissions, he has spoken at prestigious security conferences, including Zer0Con, Pacsec, and Black Hat. In 2019, Han left his position at Qihoo 360 for a short stint at Alibaba Cloud’s Security Team before moving to consumer electronics manufacturer OPPO in 2021. Similar to Chen, his departure from Qihoo 360 had an immediate downward impact on the company’s bug bounty contributions to Android. Starting in 2022, OPPO experienced a surge in Android bug bounty submissions, largely due to Han’s contributions. By the end of 2023, OPPO became by far the largest single contributing Chinese team to Android (Google). In 2022 and 2023, Han received “a special shoutout” from the Google Security Blog for being one of its top bug bounty contributors, alongside just one to three other researchers.
Chen and Han belong to a relatively small yet influential cohort of superstar Chinese hackers whose research enormously benefits the security of critical U.S. products. At the same time, it’s also likely that their findings are scrutinized by China’s intelligence agency, the Ministry of State Security, potentially for offensive or espionage objectives.
Intelligence Linkages and Implications
To harness the talent of its superstar hackers, the Chinese government implemented the Regulations on the Management of Network Product Security Vulnerabilities in September 2021, mandating Chinese researchers to directly hand over any zero-days to state authorities within 48 hours. From this constant influx of vulnerability reports, Chinese government agencies can pick and choose which vulnerabilities to publicly disclose, and which to potentially use in future cyber operations.
The first robust enforcement of these regulations occurred two months later, in the backdrop of the discovery of one of the most significant vulnerabilities in recent memory. In November 2021, security engineer Chen Zhaojun from the Alibaba Cloud Security Team discovered Log4Shell, a critical vulnerability in Apache Log4j, a Java-based logging library used by millions globally. Zhaojun reported Log4Shell directly to Apache, which disclosed it a few weeks later with a patch available. Upon disclosure, Mandiant described it as “one of the most pervasive security vulnerabilities that organizations have had to deal with over the past decade.” Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency, labeled it “one of the most serious [vulnerabilities] that I’ve seen in my entire career, if not the most serious.” While countries grappled with mitigating the impacts of Log4Shell, China’s reaction to the Log4Shell discovery went largely unnoticed. A few weeks after disclosure, Alibaba Cloud faced penalties for its failure to report Log4Shell to state authorities. Alibaba was fined, and its collaboration on information-sharing with China’s Ministry of Industry and Information Technology was suspended.
If the Log4j episode aimed to set clear boundaries against violations of the regulations, another case cast doubt on their enforcement criteria. In 2021, significant controversy ensued when Qidan He was dismissed from his role as cyber security head at Pinduoduo, a major online retailer in China, for refusing to carry out “hacking attacks” for the company. He is among China’s most popular hacker prodigies. He enrolled at Zhejiang University at the age of 15 and gained international fame for his outstanding performances at Pwn2Own. Following his dismissal, prominent Chinese hackers voiced their support for He and expressed outrage at Pinduoduo. These included the former director of Alibaba’s Security Lab and the founder of a prominent Tencent security lab, the Keen Lab. In April 2023, information emerged revealing that Pinduoduo had assembled a team of approximately 100 engineers and product managers to search for vulnerabilities in Android phones for the purpose of spying on users, aiming to boost sales by monitoring customers and competitors. The team was eventually disbanded, but Pinduoduo faced no regulatory repercussions despite violating article 4 of the regulations by actively seeking and exploiting vulnerabilities for illicit ends.
Through this double standard in enforcement, the Chinese government demonstrates its intent to penalize researchers who report critical vulnerabilities, while turning a blind eye to private companies engaging in illicit economic information gathering that can benefit the companies financially or have strategic importance to the government. This approach increases the legal pressure on Chinese researchers to disclose vulnerabilities directly to the government.
Nevertheless, while it serves as China’s primary framework for acquiring zero-days, the Regulations on the Management of Network Product Security Vulnerabilities are not the sole avenue through which government agencies access vulnerabilities identified by private researchers. In 2023, cyber security analysts Dakota Cary and Kristin Del Rosso uncovered an alternative, more subtle process involving the China National Vulnerability Database, overseen by the Ministry of State Security. This framework operates on a voluntary basis, where private companies collaborate with said database to disclose vulnerabilities. These partnerships are divided into three tiers based on annual vulnerability submissions, with Tier 1 requiring the highest number of reports. Already in 2017, U.S. threat intelligence company Recorded Future demonstrated that vulnerabilities reported to the China National Vulnerability Database are assessed by the Ministry of State Security for their utility in intelligence operations. Currently, only 29 companies are classified as Tier 1, including Qihoo 360, Cyber Kunlun, Sangfor, Tencent, and Ant Group — companies known for hosting leading bug bounty contributors to Apple, Android (Google), and Microsoft.
China’s vulnerability pipeline provides its government agencies with a significant advantage over their Western counterparts. Discovering zero-days is a costly and time-consuming process. For governments to do this independently poses significant resource and logistical challenges. Alternatively, as argued by researcher Max Smeets, purchasing exploits from zero-day markets is expensive and fraught with information asymmetries between sellers and buyers, making it difficult to discern reliable products. By strategically positioning itself as the final recipient in the vulnerability disclosure processes of civilian researchers, the Chinese government effectively leverages some of the world’s top vulnerability researchers on a large scale and at no cost.
In some cases, Tier 1 companies’ engagement with Chinese government agencies extends well beyond vulnerability research. Qihoo 360 exemplifies such close ties, leading the Cyberspace Security Military-Civil Fusion Innovation Center, which may develop “cyber militia and teams.” Recent reports indicated that Qihoo 360 sold personal data from its antivirus customers to i-SOON, a government-contracted company, potentially enabling the tracking of individuals’ online activities. Cyber Kunlun, founded by Qihoo 360’s former chief technology officer, Wenbin Zheng, closely collaborates with Qihoo 360 and partners with Qi An Xin’s Pangu Lab on vulnerability mining. Qi An Xin, spun off from Qihoo 360 in 2019, has strong links with Chinese intelligence and military services and operates its own Cybersecurity Military-Civil Fusion Innovation Center.
Conclusion
The analysis of Apple, Android (Google), and Microsoft’s bug bounty data from 2017 to the end of 2023 has revealed a significant number of submissions by Chinese researchers. This examination highlights that a significant portion of Chinese contributions to these platforms originated from a small number of individuals within specialized research teams, where fluctuations in team performance often stem from individual transitions between companies. The vulnerabilities discovered in Western products by Chinese civilian researchers are likely shared with government agencies: Chinese law mandates that researchers report vulnerabilities, and the companies they are affiliated with are required to submit a specified minimum number of vulnerabilities annually to the Ministry of State Security-run China National Vulnerability Database to maintain their status.
This approach offers a distinct advantage over traditional zero-day acquisitions and has contributed to state-affiliated Chinese groups exploiting more zero-days than any other country. Nonetheless, despite its effectiveness, unanswered questions persist: Western vendors consistently receive extensive information on zero-day vulnerabilities, yet the Chinese system remains effective in exploiting U.S. products. This prompts inquiries: Are these unique individual zero-days or part of zero-day chains? Is it an issue with patching? Or does Chinese effectiveness stem from inadequate security practices among targeted victims?
Despite its efficacy, other countries, particularly democracies, should not be misled into viewing China’s as a favorable model, as it poses ethical dilemmas incompatible with core democratic values of trust and transparency. The European Union’s Cyber Resilience Act has sparked controversy in this regard. Under Article 11, software publishers would be required to promptly report any unresolved security vulnerabilities to the European Union Agency for Cybersecurity within 24 hours of discovery. Senior figures from over 50 organizations, including Google, Trend Micro, and the Electronic Frontier Foundation, have voiced concerns in an open letter that with this procedure “dozens of government agencies would have access to a real-time database of software with unmitigated vulnerabilities, without the ability to leverage them to protect the online environment.” Leading experts in bug bounty programs, such as Katie Moussouris, caution against implementing comparable approaches. She has expressed concerns that such practices “could erode the cybersecurity of the entire Internet.” Crucially, they risk alienating the talented vulnerability researchers on which the entire cyber security ecosystem rests.
Eugenio Benincasa is a senior cyber defense researcher at the Center for Security Studies at ETH Zurich. Prior to joining the center, he worked as a threat analyst at the Italian Presidency of the Council of Ministers in Rome, as a research fellow at the think tank Pacific Forum in Honolulu, and as a crime analyst at the New York City Police Department.
Image: Airman 1st Class Wren Fiontar
Comments are closed.