China’s Hackers to Showcase Zero-Day Exploits at Tianfu Cup This Weekend

China’s hackers to show off their zero-day exploits 

Some of the world’s largest technology companies will have their eyes glued to the Tianfu Cup (天府杯) in Chengdu to watch some of China’s preeminent hackers break into their devices and systems using original, never-before-seen methods. The event will take place from October 16-17. 

Tianfu’s beginnings: China reins in its homegrown talent

The idea for the Tianfu Cup began in 2017, when Zhou Hongyi, the CEO of Chinese cybersecurity giant Qihoo 360, released a statement opposing Chinese citizens’ participation in overseas hacking competitions—which they have historically dominated. 

Shortly thereafter, the Chinese government forbade security researchers from competing in international hacking competitions, arguing that the zero-day exploits of its citizens could “no longer be used” strategically. 

In response, Beijing created its own competition modeled after Pwn2Own, one of the world’s best-known competitions where China has enjoyed much success.

China employs Tianfu Cup exploits for its own cyber campaigns

At the inaugural Tianfu Cup in 2018, a security researcher from the 360 ESG Vulnerability Research Institute, which is owned by Qihoo 360-owned performed a zero-day exploit nicknamed “Chaos” that reliably took control of the newest iPhone from a starting point within Safari. 

Although the zero-day exploit was reported to Apple—all exploits showcased at the Tianfu Cup are—and a subsequent patch was released, researchers from Google’s Threat Analysis Group (TAG) soon announced that the iOS exploit chains were being used in the wild. 

Uyghur cyber surveillance 

Media sources reported that the Chinese government was using an exploit very similar to Chaos to infect iPhone’s owned by the country’s Uyghur minority population—a Muslim ethnic group living mostly in China’s Xinjiang Province. Chaos allowed the Chinese government to read the victim’s messages, passwords, and track their location in near-real-time; Beijing’s cyber surveillance reportedly continued through the COVID-19 pandemic. 

2021 Tianfu Cup: The rules of the game

Each year, the competition hosts three concurrent tournaments: 1) the original vulnerability demonstration, 2) the device cracking competition, and 3) the operating system cracking competition. The total purse for this year’s competition is $1.5M.

Device cracking

In this year’s competition, teams are given three five-minute attempts to crack a device using an original vulnerability against a target of their choosing from a preselected list. The device cracking competitors the largest monetary awards and draws the most media attention. 

The 360 ESG Vulnerability Research Institute won first place at the 2020 Tianfu Cup for the third year in a row and won awards for hacking numerous popular devices, web browsers, platforms, and software. Flashpoint analysts assess with moderate confidence that Qihoo 360’s team will likely win for a fourth consecutive year at the 2021 tournament this weekend.

Prepare for ransomware and cyber extortion with Flashpoint

Sign up for a free 90-day trial and see firsthand how Flashpoint cybersecurity technology can help your organization access critical information and insight into ransomware actors and their tactics, techniques, and procedures (TTPs).