Did a Chinese University Hacking Competition Target a Real Victim?

Capture the emblem hacking contests astatine information conferences mostly service 2 purposes: to assistance participants make and show machine hacking and information skills, and to assistance employers and authorities agencies with discovering and recruiting caller talent.

But 1 information league successful China whitethorn person taken its contention a measurement further—potentially utilizing it arsenic a concealed espionage cognition to get participants to cod quality from an chartless target.

According to 2 Western researchers who translated documentation for China’s Zhujian Cup, besides known arsenic the National Collegiate Cybersecurity Attack and Defense Competition, 1 portion of the three-part competition, held past twelvemonth for the archetypal time, had a fig of antithetic characteristics that suggest its perchance secretive and unorthodox purpose.

Capture the emblem (CTF) and different types of hacking competitions are mostly hosted connected closed networks oregon “cyber ranges”—dedicated infrastructure acceptable up for the contention truthful that participants don’t hazard disrupting existent networks. These ranges supply a simulated situation that mimics real-world configurations, and participants are tasked with uncovering vulnerabilities successful the systems, obtaining entree to circumstantial parts of the network, oregon capturing data.

There are 2 large companies successful China that acceptable up cyber ranges for competitions. The bulk of the competitions springiness a outcry retired to the institution that designed their range. Notably, Zhujian Cup didn’t notation immoderate cyber scope oregon cyber scope supplier successful its documentation, leaving the researchers to wonderment if this is due to the fact that the contention was held successful a existent situation alternatively than a simulated one.

The contention besides required students to motion a papers agreeing to respective antithetic terms. They were prohibited from discussing the quality of the tasks they were asked to bash successful the contention with anyone; they had to hold not to destruct oregon disrupt the targeted system; and astatine the extremity of the competition, they had to delete immoderate backdoors they planted connected the strategy and immoderate information they acquired from it. And dissimilar different competitions successful China the researchers examined, participants successful this information of the Zhujian Cup were prohibited from publishing societal media posts revealing the quality of the contention oregon the tasks they performed arsenic portion of it.

Participants besides were prohibited from copying immoderate data, documents, oregon printed materials that were portion of the competition; disclosing accusation astir vulnerabilities they found; oregon exploiting those vulnerabilities for idiosyncratic purposes. If a leak of immoderate of this information oregon worldly occurred and caused harm to the contention organizers oregon to China, according to the pledge that participants signed, they could beryllium held legally responsible.

“I committedness that if immoderate accusation disclosure incidental (or case) occurs owed to idiosyncratic reasons, causing nonaccomplishment oregon harm to the organizer and the country, I, arsenic an individual, volition carnivore ineligible work successful accordance with the applicable laws and regulations,” the pledge states.

The contention was hosted past December by Northwestern Polytechnical University, a subject and engineering assemblage successful Xi'an, Shaanxi, that is affiliated with China’s Ministry of Industry and Information Technology and besides holds a top-secret clearance to behaviour enactment for the Chinese authorities and military. The assemblage is overseen by China’s People’s Liberation Army.