September 18, 2024:
Capture the flag hacking contests at security conferences generally serve two purposes: to help participants develop and demonstrate computer hacking and security skills, and to assist employers and government agencies with discovering and recruiting new talent.
But one security conference in China may have taken its contest a step further—potentially using it as a secret espionage operation to get participants to collect intelligence from an unknown target.
According to two Western researchers who translated documentation for China’s Zhujian Cup, also known as the National Collegiate Cybersecurity Attack and Defense Competition, one part of the three-part competition, held last year for the first time, had a number of unusual characteristics that suggest its potentially secretive and unorthodox purpose.
Capture the flag (CTF) and other types of hacking competitions are generally hosted on closed networks or “cyber ranges”—dedicated infrastructure set up for the contest so that participants don’t risk disrupting real networks. These ranges provide a simulated environment that mimics real-world configurations, and participants are tasked with finding vulnerabilities in the systems, obtaining access to specific parts of the network, or capturing data.
There are two major companies in China that set up cyber ranges for competitions. The majority of the competitions give a shout out to the company that designed their range. Notably, Zhujian Cup didn’t mention any cyber range or cyber range provider in its documentation, leaving the researchers to wonder if this is because the contest was held in a real environment rather than a simulated one.
The competition also required students to sign a document agreeing to several unusual terms. They were prohibited from discussing the nature of the tasks they were asked to do in the competition with anyone; they had to agree not to destroy or disrupt the targeted system; and at the end of the competition, they had to delete any backdoors they planted on the system and any data they acquired from it. And unlike other competitions in China the researchers examined, participants in this portion of the Zhujian Cup were prohibited from publishing social media posts revealing the nature of the competition or the tasks they performed as part of it.
Participants also were prohibited from copying any data, documents, or printed materials that were part of the competition; disclosing information about vulnerabilities they found; or exploiting those vulnerabilities for personal purposes. If a leak of any of this data or material occurred and caused harm to the contest organizers or to China, according to the pledge that participants signed, they could be held legally responsible.
“I promise that if any information disclosure incident (or case) occurs due to personal reasons, causing loss or harm to the organizer and the country, I, as an individual, will bear legal responsibility in accordance with the relevant laws and regulations,” the pledge states.
The contest was hosted last December by Northwestern Polytechnical University, a science and engineering university in Xi’an, Shaanxi, that is affiliated with China’s Ministry of Industry and Information Technology and also holds a top-secret clearance to conduct work for the Chinese government and military. The university is overseen by China’s People’s Liberation Army.