China manipulates vulnerability data to hide intelligence service involvement
It's long been known that the Chinese government has links to hacker groups, but new research into the country's national vulnerability database (CNNVD) reveals evidence of data being changed to hide influence by the country’s intelligence service.
Research by security intelligence specialist Recorded Future back in November finds that CNNVD is faster than the US national vulnerability database (NVD) in reporting vulnerabilities -- NVD trails CNNVD in average time between initial disclosure and database inclusion (33 days versus 13 days).
However, during a follow up to that research, Recorded Future has discovered that China has a process for evaluating whether high-threat vulnerabilities have operational utility in intelligence operations before publishing them to the CNNVD. In revisiting that analysis, it has discovered that CNNVD has altered its initial vulnerability publication dates in what is believed to be an attempt to cover-up the evaluation process.
It finds that CNNVD has altered the original publication dates in its public database for at least 267 vulnerabilities. CNNVD is, says Recorded Future, essentially a shell for the Ministry of State Security (MSS); it has a website but appears to be separate from the MSS in name only. This is important because the MSS is not just a foreign intelligence service, but it also has a large domestic intelligence mandate.
The report's authors note, "This systemic retroactive alteration of original publication dates by CNNVD is an attempt to hide the evidence of this process, obfuscate which vulnerabilities the MSS may be utilizing, and limit the methods researchers can use to anticipate Chinese APT (Advanced Persistent Threat) behavior. There is no other logical explanation why only the initial publication dates for outlier CVE would have been altered. While we did not query the publication dates of all 17,000+ CVE listed in both NVD and CNNVD, we did query a portion of non-outlier CVE and discovered no manipulation of publication dates."
You can find out more about the research on the Recorded Future blog.