China Suspected of Leveraging “White Hat” Hackers for Cyberattacks, Escalating Global Cybersecurity Concerns

China is increasingly under suspicion for utilizing “white hat” hackers, typically employed to identify cybersecurity vulnerabilities, to further its offensive cyber operations. This shift has effectively mobilized the country’s elite private hackers, raising alarm in global cybersecurity circles.

An investigation by Nikkei and other organizations revealed a significant rise in cyberattacks involving Chinese actors since 2021, when a new law mandated reporting software vulnerabilities to the Chinese government. The number of these attacks has surged, with data indicating a sharp increase in cases where Chinese involvement is suspected.

White hats, who usually work for security companies or as freelancers, are responsible for identifying and reporting software vulnerabilities. Normally, developers then create patches to fix these flaws, improving product safety. However, since September 2021, Chinese companies and individuals are required to report any discovered vulnerabilities to the Ministry of Industry and Information Technology within 48 hours. This regulation has sparked criticism in Europe and the U.S., where concerns have been raised that these vulnerabilities could be exploited before they are patched.

Files purportedly leaked from the Chinese cybersecurity company i-Soon suggest that the government has indeed been exploiting these vulnerabilities. These files, analyzed by cybersecurity firm TeamT5, reportedly show that i-Soon, which employs many self-described white hats, has provided the Chinese government with tools to remotely extract data from iPhones and has sold data allegedly stolen from 18 countries and regions, including Taiwan and India.

Data collected by Nikkei, in collaboration with cybersecurity firm Trend Micro, highlighted a troubling trend: 222 software vulnerabilities identified by the U.S. government and other entities are being actively exploited by hacker groups believed to be connected to the Chinese government. The number of such attacks has grown exponentially, from 16 in 2021 to 267 in 2022, and nearly doubling to 502 in 2023.

Katsuyuki Okamoto, a cybersecurity expert at Trend Micro, noted that while phishing was once the main method of cyberattacks, vulnerability exploitation has become the dominant tactic, particularly in China. Following Microsoft’s introduction of phishing countermeasures in 2022, Russian hacker groups showed a similar trend, but China has made the most pronounced shift.

The skills of Chinese white hats are globally recognized. Chinese hackers have historically dominated at the world’s largest hacking contest, Pwn2Own, capturing 79% of the total prize money by 2017. However, since 2018, when China banned its white hats from participating in international hacking contests, the country’s cybersecurity competition has been focused on the Tianfu Cup, China’s version of Pwn2Own.

Leaked files from i-Soon suggest that vulnerabilities uncovered during the Tianfu Cup have been exploited by the Chinese government. These revelations have intensified concerns that China’s private-sector hackers are not only identifying vulnerabilities but also participating in cyberattacks against other countries as part of their business dealings with the government.

This development underscores the growing challenge in global cybersecurity, as private hackers in China appear to be increasingly integrated into state-sponsored cyber operations, raising significant security concerns worldwide.