China has altered public vulnerability data to conceal the influence of its spy agency in the country's national information security bug reporting process.
The damning finding from threat intel firm Recorded Future follows months of research examining the publication speed for China’s National Vulnerability Database (CNNVD).
During the course of the research, Recorded Future said it discovered China had a mechanism for evaluating whether high-threat vulnerabilities had operational utility in intelligence operations prior to publishing them to the CNNVD.
Recorded Future said it had discovered that CNNVD had changed their initial publication dates of several high profile vulnerabilities in an apparent attempt to cover up this evaluation process.
Earlier research by the threat intel firm found the Chinese government’s vulnerability reporting was generally faster than that of its US equivalent, as The Register has previously reported. CNNVD is faster and more comprehensive - up to a point - because it pulls in information from a wide variety of sources.
The US government's National Vulnerability Database (NVD) relies on vendor submissions.
Recorded Future found that this general rule was broken in the case of high impact vulnerabilities or those where an exploit was available, identified as statistical outliers in earlier phases of Recorded Future’s research.
The Register spoke to Priscilla Moriuchi, director of strategic threat development at Recorded Future and co-author of its latest report, who said this delay could extend from days or weeks to – in one extreme case – a report of a vulnerability that came out more than eight months prior to its publication.
“[The US] NVD is quicker to report high impact threats than less serious vulnerabilities but it’s the opposite with China,” Moriuchi said. “China is also comparatively slow to publish vulnerabilities with known exploits.”
Recorded Future alleged the CNNVD had a formal vulnerability evaluation process in which high-threat CVEs were accessed for their operational utility by the Ministry of State Security (MSS) before publication.
"[This] publication lag was one way to identify vulnerabilities that the MSS was likely considering for use in offensive cyber operations. CNNVD’s outright manipulation of these dates implicitly confirmed this assessment," Recorded Future claimed.
Click to enlarge: Backdating the publication date of a Microsoft Office vulnerability - take one [source: Recorded Future]
Click to enlarge: Backdating the publication date of a Microsoft Office vulnerability - take two [source: Recorded Future]
CNNVD altered the original publication dates in its public database for at least 267 vulnerabilities, according to Recorded Future. One high-profile example (illustrated by the screenshots above) involved a Microsoft Office vulnerability subsequently used by a Chinese APT group to target financial industry analysts in Russia and central Asia.
Another (not cited here but featured in RF’s blog post) involved a firmware vulnerability in Android software that could have offered a backdoor handy, in particular, for domestic surveillance.
"By retroactively changing the original publication dates on these statistical outliers, CNNVD attempted to hide the evidence of this evaluation process, obfuscate which vulnerabilities the [Ministry of State Security] may be utilising, and limit the methods researchers can use to anticipate Chinese APT [state backed hacking] behaviour," the firm said.
This "large-scale manipulation" of vulnerability data undermines trust in the CNNVD process and could compromise security operations relying solely on the Chinese agency for infosec threat information.
China's vuln database lives in same building as ... state security ministry. Hmm.
"In some cases the CNNVD is more comprehensive [than other sources] but you can’t trust it," warned Moriuchi, who led the National Security Agency’s East Asia and Pacific cyber threats office prior to joining Recorded Future.
CNNVD has its own website, but appears to be separate from the MSS in name only. It even shares a building in Beijing with the MSS. “This is important because the MSS is not just a foreign intelligence service, but it also has a large, and arguably more important, domestic intelligence mandate,” Recorded Future noted.
CNNVD’s evident manipulation of its vulnerability publication data ultimately reveals more than it conceals, the researchers said.
Recorded Future’s previous research found China had a process for evaluating whether high-threat vulnerabilities had operational utility in intelligence operations before publishing them to the CNNVD. In revisiting this analysis, Recorded Future discovered that CNNVD had back-dated and altered their initial vulnerability publication dates in a botched attempt to cover-up that evaluation process.
China’s recently instituted Cybersecurity Law (CSL) mandates that companies operating in China adopt a “tiered system of network security protections” that holds companies both legally and financially responsible for a “network security incident”.
For a foreign multinational company to comply with all the provisions of the CSL means (in effect) co-operating with Chinese security and intelligence services. ®