作者/Author(s): Eugenio Benincasa 

網站來源/Source: War on the Rocks 

日期/Date: 09/03/2024 

關鍵字/Keywords: 科技、網路行動、駭客 


摘要:
據美國聯邦調查局(FBI)統計,中國駭客人數是美國的50倍,這凸顯了中國對網路作戰的重視。中國積極找出西方軟硬體的「零時差」網路漏洞。零時差漏洞非常危險,因為它們是最新發現的漏洞,沒辦法馬上修補,敵對行為者在企業建立防禦之前將有機可乘。中國的攻擊性網路生態系統大致可分為兩個群體:一個類似於賞金獵人,負責識別漏洞並告知供應商;另一個則是受雇的駭客,他們獲得賞金獵人提供的資訊後,會快速對目標進行網路攻擊。這個生態系統讓中國可以動員頂尖研究人員的能力,同時又能與國家直接性的攻擊行動脫鉤。 
  • 中國駭客積極參與全球駭客比賽,致力於發現軟硬體系統中的零時差漏洞。中國隊伍經常名列前茅,展現他們在尋找西方數位系統漏洞方面的能力。同時,中國的研究人員和網路安全專家也是幫助西方IT公司識別漏洞的主要協力者,有助於提高美國關鍵技術產品的安全性。
  • 中共中央發現他們在網路攻擊和間諜方面的潛力,甚至強制研究人員在發現零時差漏洞後,必須在 48 小時內上報給公部門。政府機構也可以選擇公開公布或隱藏哪些漏洞,以便在未來的網路行動中使用。 
  • 中共中央針對部分中國企業或個人實體祭出懲處,懲罰他們未經公部門就直接向西方公司揭露零時差漏洞,拒絕參與網路犯罪行動的中國個人和公司也在懲罰名單中。但是中國政府卻忽略了可能對公司或國家有利的非法情報收集。 
  • 中國對獲取和利用零時差漏洞的支持行動顯而易見,相較於西方政府將更具優勢。

Summary: 
The FBI estimated that Chinese hackers outnumber the US by 50 to 1, signifying China's focus on cyber operations. China was proactive in identifying "zero-days" cyber vulnerabilities for Western software and hardware. Zero-days are dangerous because they are fresh and no patches are available, making them the perfect target for belligerent actors to exploit them before firms can set up defenses. There are two groups within China's offensive cyber ecosystem: one that is akin to bounty hunters that identify vulnerabilities and inform the vendors; the other is contracted hackers who conduct cyber operations against targets after obtaining information from the former. This ecosystem allows China to mobilize the capabilities of top researchers while insulating them from direct state-sponsored activities. 
  • Chinese hackers actively participated in global hacking prized competitions where contestants must find zero-days in software and hardware systems. They were consistently top-ranked, showing their capabilities to look for vulnerabilities within Western digital systems. Further, Chinese researchers and cyber security were top contributors that helped Western IT firms identify vulnerabilities, helping critical US tech products safer.  
  • The Chinese central government recognized their potential for cyberattacks and cyber-espionage. The government even mandated Chinese researchers to submit zero-days to state authorities within 48 hours after discovering them. Government agencies could also choose which vulnerabilities to publicly announce or conceal for potential use in future cyber operations. 
  • The central government punished some Chinese individuals and firms for disclosing the zero-days directly to Western companies without going through the central authority or refusing to participate in cyber-offense operations. Yet, the Chinese government ignored illegal intelligence gathering that could benefit companies or the country. 
  • A Chinese state-sponsored effort to acquire and exploit zero-days is evident, giving it advantages over Western governments.