In 2017, the Chinese government listened when Zhou Hongyi, founder and CEO of the Chinese cybersecurity firm Qihoo 360, chastised Chinese hackers who display their skills in foreign hacking competitions. The government agreed with him, prohibited the countryโs hackers from entering such competitions, and worked with major tech firms to set up Chinaโs own competition for hackers as a way of enticing and remunerating those who could help it to target enemies foreign and domestic.
According to Patrick OโNeillโs May 2021 report for MIT Technology Review:
Zhou warned that once Chinese hackers show off vulnerabilities at overseas competitions, they can โno longer be used.โ Instead, he argued, the hackers and their knowledge should โstay in Chinaโ so that they could recognize the true importance and โstrategic valueโ of the software vulnerabilities.
Beijing agreed. Soon, the Chinese government banned cybersecurity researchers from attending overseas hacking competitions. Just months later, a new competition popped up inside China to take the place of the international contests. The Tianfu Cup, as it was called, offered prizes that added up to over a million dollars.
The inaugural event was held in November 2018. The $200,000 top prize went to Qihoo 360 researcher Qixun Zhao, who showed off a remarkable chain of exploits that allowed him to easily and reliably take control of even the newest and most up-to-date iPhones…. A remote attacker could take over any iPhone that visited a web page containing Qixunโs malicious code. Itโs the kind of hack that can potentially be sold for millions of dollars on the open market to give criminals or governments the ability to spy on large numbers of people. Qixun named it โChaos.โ
Two months after Qixun showed the totalitarian government of China how to hack into the iPhone, Apple fixed the vulnerability.
What happened during the two months?
OโNeill cites a Google analysis of a hacking campaign โexploiting iPhones en masseโ that involved at least five different exploits, one of which was Qixunโs prize-winner. What Googleโs report missed, though, says OโNeill, โwere the identities of the victims and the attackers: Uyghur Muslims and the Chinese government.โ
Shortly after Googleโs researchers noted the attacks, media reports connected the dots: the targets of the campaign that used the Chaos exploit were the Uyghur people, and the hackers were linked to the Chinese government. Apple published a rare blog post that confirmed the attack had taken place over two months: that is, the period beginning immediately after Qixun won the Tianfu Cup and stretching until Apple issued the fix.
Although Apple disputes that the iPhone was as widely exposed as suggested by Google, OโNeill notes that the damage was hardly minor.
โOne of Chinaโs elite hacked an iPhone, and won public acclaim and a large amount of money for doing so. Virtually overnight, Chinese intelligence used it as a weapon against a besieged minority ethnic group, striking before Apple could fix the problem. It was a brazen act performed in broad daylight and with the knowledge that there would be no consequences to speak of.โ
The Tianfu Cup is still going on. In 2021, it was being sponsored by giant Chinese tech companies like Alibaba, Baidu, Qihoo 360, and the state-owned Chinese Electronics Technology Group. This last โprovides โUyghur analyticsโ and facial recognition tools to the Chinese government.โ
Meanwhile, American officials have become โincreasingly concerned about the links between those involved in the competition and the Chinese military.โ
