Chinese Hackers Exploit Software Vulnerabilities to Breach Targeted Systems

China’s Cyberspace Administration, Ministry of Public Security, and Ministry of Industry and Information Technology introduced the Regulations on the Management of Network Product Security Vulnerabilities (RMSV) in July 2021, mandating that software vulnerabilities exploitable flaws in code be reported to the MIIT within 48 hours of discovery.

This policy prohibits researchers from publishing vulnerability details, proof-of-concept exploits, or exaggerated severity assessments without coordinating patches with product owners and authorities.

Regulatory Framework

By channeling all reports through the MIIT’s Cybersecurity Threat and Vulnerability Information Sharing Platform (NVDB), the system ensures centralized aggregation of zero-day and known vulnerabilities, integrating them with existing databases like the China National Vulnerability Database (CNVD) managed by CNCERT/CC and the MSS-operated China National Vulnerability Database of Information Security (CNNVD).

This interconnected ecosystem shares data with entities including the MSS’s 13th Bureau, PLA-linked contractors such as Beijing Topsec, and research centers at Shanghai Jiao Tong University focused on advanced persistent threat (APT) attack and defense.

The NVDB encompasses specialized sub-databases for general network products, industrial control systems (ICS), government-used innovative IT, internet-connected vehicles, and mobile applications, drawing contributions from 103 companies, 48 of which also support the CNNVD.

Technical support units for CNNVD, comprising 151 firms, employ at least 1,190 vulnerability researchers who annually submit a minimum of 1,955 vulnerabilities, including 141 critical ones scored via the Common Vulnerability Scoring System (CVSS).

These mandates contrast sharply with voluntary U.S. systems, where vulnerabilities are reported to CVE Numbering Authorities and integrated into the National Vulnerability Database without compulsion, relying on researchers motivated by bounties or prestige.

Offensive Advantages

This regulatory apparatus bolsters China’s offensive cyber operations by stockpiling vulnerabilities for exploitation, akin to maintaining an arsenal for intelligence and military actors.

Vulnerabilities expire quickly due to patches, necessitating a steady influx; the RMSV captures those previously unreported to government channels, including internal discoveries by firms operating in China.

Data indicate a post-2021 decline in CNVD disclosures, particularly for ICS vulnerabilities dropping from hundreds annually to just ten in 2022 suggesting withheld reports for offensive use, while U.S. agencies like CISA noted 113 exploited ICS flaws in the same period.

MSS practices, as evidenced by delayed CNNVD publications of critical vulnerabilities, imply evaluation for weaponization, with private-sector partners providing exploits observed in the wild.

Foreign firms complying with RMSV report vulnerabilities without reciprocal disclosures, losing visibility into Chinese research while feeding the system.

In contrast, U.S. decentralized reporting allows flexible, market-driven defenses, though it lacks China’s comprehensive pipeline.

Analysts link increased zero-day deployments by PRC hackers, as per Microsoft’s 2022 Digital Defense Report, to these regulations, enhancing operational tempo for entities like the PLA and MSS.

Policymakers face challenges in countering this, as mirroring mandatory reporting could disrupt markets without defensive gains, given rapid patching timelines of about nine days.

Instead, accelerating CVE assignments might expedite global disclosures, pressuring faster patches and mitigating exploitation spikes.

Ultimately, China’s approach transforms vulnerabilities into strategic resources, granting a clear edge in cyber offense over voluntary international norms.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!