Written byPatrick Howell O'Neill
The U.S. government debuted its reworked vulnerabilities equities process on Tuesday after a drawn out fight about transparency and security. But almost nothing is known about the same process for China, the world’s second biggest economy and long time adversary to the U.S. in the digital domain.
A new report shows the quieter Chinese vulnerability disclosure process tries to hide vulnerabilities exploited by malware linked to Chinese-linked hacking groups, according to research from Boston-based cybersecurity firm Recorded Future.
“We believe we’ve found they have a vulnerability evaluation process that’s led by their intelligence services,” said Priscilla Moriuchi, the director of strategic threat development at Recorded Future. There’s been no previous public discussion of the Chinese process.
China’s process is one “in which high threat vulnerabilities are likely evaluated for their utility in intelligence operations before they’re published by [Chinese National Vulnerability Database],” the report reads. “The publication is made or delayed for these high threat vulnerabilities based on whether they can be operationally useful to the [Ministry of State Security] whether for domestic surveillance or foreign intelligence operations.”
“It is not surprising that the Chinese government is holding on to a small number of high-value vulnerabilities that it is using to penetrate targets to further national security goals,” said Paul Triolo, practice head for geo-technology at the Eurasia Group.
The Chinese National Vulnerability Database is typically two times faster than its American counterpart when it comes to publicly disclosing software vulnerabilities. The causes are myriad, including that China uses sources from across the web instead of relying on voluntary industry submissions. The result is a significant gap that means, in theory, Chinese companies and anyone else following CNNVD will be more secure than U.S. competitors following the U.S. equivalent.
Speed may typically be on the side of CNNVD but the process appears to be closely controlled by the MSS, the Chinese equivalent of the CIA. CNNVD is officially part of CNITSEC, which is officially a part of MSS. The U.S. NVD is a product run by the National Institute of Standards and Technology and sponsored by the Department of Homeland Security.
High-threat vulnerabilities were typically published in the Chinese database anywhere from 21 to 156 days later than lower-threat vulnerabilities.
Publication of the Microsoft Office vulnerability CVE-2017-0199 was delayed for 57 days in the Chinese database while a Chinese advanced persistent threat group reportedly exploited it in hacking campaigns against Russian and Central Asian targets. That same vulnerability was exploited in the WannaCry attacks widely credited to North Korea, the NotPetya attacks which Ukraine blames on Russia and the criminal group behind the Dridex malware.
Another pair of vulnerabilities (CVE-2016-10136 and CVE-2016-10138) were found in software from the Chinese firm Adups that has repeatedly been found to secretly siphon off large quantities of user data. Mostly Chinese residents were impacted but lower-income customers in the developing world, Europe and the United States also use Adups products even though most don’t realize it. CNNVD published a tiny and objectively misleading writeup of the vulnerabilities 236 days after NVD.
The first delay is likely to enable an international hacking campaign, Recorded Future researchers posited, while the second may have helped domestic surveillance.
“We do not believe that these vulnerabilities, the links they might have to Chinese government surveillance, and the eight month publication delay are coincidences,” the researchers wrote. “The systems with these backdoors were overwhelmingly located in China, CNNVD is largely followed and consumed by Chinese businesses and citizens, and the MSS has a mission to collect domestic intelligence. While we cannot determine with certainty that the MSS was exploiting this vulnerability, we believe this is another example of likely MSS interference in the CNNVD publication process.”
The pattern continued on a study of hundreds of vulnerabilities that showed higher severity vulnerabilities often took longer to publish on for no discernible reason, even when they were originally made public at the same time and in the same place as lower severity vulnerabilities that were quickly published by CNNVD. Researchers believe the differences and delays are “another indicator that CNNVD has a different process for publishing vulnerabilities that may have operational use for the MSS.”
The U.S. NVD is used by an international array of private and public sector entities. The Chinese database is mostly used Chinese corporations, government entities and universities as well as other governments in the East Asia region and across the world, according to Recorded Future.
“This report shows that despite US efforts at more transparency, it will be very difficult to get governments around the world that have the technical capabilities to uncover vulnerabilities to be more transparent about how they determine when to release vulnerability information,” Eurasia Group’s Triolo said. “Most will almost certainly reserve the right to not reveal a small but critical number of detected vulnerabilities to reserve for the use of their intelligence services.”
Recorded Future’s researchers go further than saying MSS merely interferes with CNNVD. Report authors Moriuchi and Bill Ladd say CNNVD is “a shell.”
Moriuchi and Ladd argue the research shows why intelligence services should not manage vulnerability publication processes because “it is impossible for an intelligence service to equally uphold the mandates for both vulnerability reporting (transparency) and intelligence operations (secrecy).”