In 2017, the Chinese government listened when Zhou Hongyi, founder and CEO of the Chinese cybersecurity firm Qihoo 360, chastised Chinese hackers who display their skills in foreign hacking competitions. The government agreed with him, prohibited the country’s hackers from entering such competitions, and worked with major tech firms to set up China’s own competition for hackers as a way of enticing and remunerating those who could help it to target enemies foreign and domestic.
According to Patrick O’Neill’s May 2021 report for MIT Technology Review:
Zhou warned that once Chinese hackers show off vulnerabilities at overseas competitions, they can “no longer be used.” Instead, he argued, the hackers and their knowledge should “stay in China” so that they could recognize the true importance and “strategic value” of the software vulnerabilities.
Beijing agreed. Soon, the Chinese government banned cybersecurity researchers from attending overseas hacking competitions. Just months later, a new competition popped up inside China to take the place of the international contests. The Tianfu Cup, as it was called, offered prizes that added up to over a million dollars.
The inaugural event was held in November 2018. The $200,000 top prize went to Qihoo 360 researcher Qixun Zhao, who showed off a remarkable chain of exploits that allowed him to easily and reliably take control of even the newest and most up-to-date iPhones…. A remote attacker could take over any iPhone that visited a web page containing Qixun’s malicious code. It’s the kind of hack that can potentially be sold for millions of dollars on the open market to give criminals or governments the ability to spy on large numbers of people. Qixun named it “Chaos.”
Two months after Qixun showed the totalitarian government of China how to hack into the iPhone, Apple fixed the vulnerability.
What happened during the two months?
O’Neill cites a Google analysis of a hacking campaign “exploiting iPhones en masse” that involved at least five different exploits, one of which was Qixun’s prize-winner. What Google’s report missed, though, says O’Neill, “were the identities of the victims and the attackers: Uyghur Muslims and the Chinese government.”
Shortly after Google’s researchers noted the attacks, media reports connected the dots: the targets of the campaign that used the Chaos exploit were the Uyghur people, and the hackers were linked to the Chinese government. Apple published a rare blog post that confirmed the attack had taken place over two months: that is, the period beginning immediately after Qixun won the Tianfu Cup and stretching until Apple issued the fix.
Although Apple disputes that the iPhone was as widely exposed as suggested by Google, O’Neill notes that the damage was hardly minor.
“One of China’s elite hacked an iPhone, and won public acclaim and a large amount of money for doing so. Virtually overnight, Chinese intelligence used it as a weapon against a besieged minority ethnic group, striking before Apple could fix the problem. It was a brazen act performed in broad daylight and with the knowledge that there would be no consequences to speak of.”
The Tianfu Cup is still going on. In 2021, it was being sponsored by giant Chinese tech companies like Alibaba, Baidu, Qihoo 360, and the state-owned Chinese Electronics Technology Group. This last “provides ‘Uyghur analytics’ and facial recognition tools to the Chinese government.”
Meanwhile, American officials have become “increasingly concerned about the links between those involved in the competition and the Chinese military.”
