Chinese Government Alters Threat Database Records

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, I'm Dave Bittner from the CyberWire. Thanks for joining us for episode 47 of the Recorded Future podcast.

In a previous episode of this podcast, I spoke with Bill Ladd, chief data scientist at Recorded Future, about the differences between the U.S. and Chinese cyber threat vulnerability reporting systems. He pointed out the difference in speed of publishing between the two, with the Chinese generally being faster, as well as their conclusion that the Chinese National Vulnerability Database, the CNNVD, is essentially a shell for the Chinese MSS, the Ministry of State Security. This being the case, there's evidence that the Chinese evaluate high-threat vulnerabilities for their potential operational utility before releasing them for publication.

Since then, researchers at Recorded Future have taken another look at the CNNVD and discovered the outright manipulation of publication dates of vulnerabilities. Priscilla Moriuchi is director of strategic threat development at Recorded Future, and along with Bill Ladd, she's co-author of their research analysis "China Altered Public Vulnerability Data to Conceal MSS Influence." She joins us to discuss their findings and their broader implications. Stay with us.

Priscilla Moriuchi:

At the end of last year, in the fall, we started doing some research and comparing and contrasting the U.S. National Vulnerability Database, or NVD, to China's NVD. We wanted to see which one was faster, which one was more comprehensive, and if there was any way for our customers to get the most comprehensive view of which vulnerabilities still could be covered and how fast we can do it. We profiled the two databases and we found, for example, that China's Vulnerability Database, or CNNVD, is generally faster than the U.S. NVD when it comes to publicizing and publishing vulnerabilities. It takes them, on average, about 13 days, and it takes the U.S. NVD, on average, 33 days. There are also almost 1,800 CVEs that were currently in the CNNVD, but were not in the U.S. NVD.

So, we kind of started there, and then we decided to dig a little further into CNNVD data. We have hypothesized that because the CNNVD is so fast, on average, and the U.S. NVD is slower, that if we look at our group of CVEs, where China is very slow but the U.S. is very fast, that might give us insight into China's process.

Dave Bittner:

There's a component to this, as well, where the CNNVD is a component of the Ministry of State Security. Can you describe the background with that?

Priscilla Moriuchi:

Yeah, sure. The Ministry of State Security, or the MSS, is roughly China's equivalent to the American CIA. So, they have a foreign intelligence, they're like a foreign human intelligence organization, but they also do … Half of their mandate is domestic intelligence. Keeping an eye on their citizens and making sure that the party — the Communist Party — can stay in power. So, the MSS hasn't been ... sort of known on how the MSS works within China and within China's broad information security system. So, when we were doing this particular research, we were able to discover that the MSS actually runs China's National Vulnerability Database, which is sort of the equivalent to in the U.S., the CIA running the U.S. NVD, which is not the case in the United States. The Department of Homeland Security and the National Institute for Standards run the U.S. NVD.

In China, the equivalent CIA, or the MSS, runs China's NVD. So, that was kind of a disturbing trend in terms of the mission of NVDs. The mission, in our mind, of NVDs is a public service mission, right? To put out information on vulnerabilities so that companies and individuals can protect their own networks. In the U.S., it's not perfect — of course, nobody's perfect — but China really doesn't seem to take this public service mission very seriously when they have their primary intelligence service running their NVD.

Dave Bittner:

They have a different set of priorities, perhaps, than we do.

Priscilla Moriuchi:

Right. You know, there's a contrast. Between the transparency mission of an NVD and the secrecy mission of an intelligence service. One mission will win out, and in China, it's the secrecy mission that has won out over the transparency mission, in this case.

Dave Bittner:

Take us through the deeper digging that you did and what you discovered.

Priscilla Moriuchi:

So, when we looked at these, what we'll call “statistical outliers,” these vulnerabilities where the NVD took six days or less to publish and the CNNVD took over four weeks … We're trying to account for bureaucratic lags, and things like that. When we got that number originally, there were about 287 vulnerabilities that fell into that category. When we did a lot of research on those vulnerabilities, we found out that we had likely discovered what we call the “threat evaluation process,” where the MSS was using the CNNVD to evaluate high-threat vulnerabilities for use in their own offensive operations.

So, for example, a vulnerability would get discovered by the CNNVD. We saw evidence of this process — it was an evaluation process in hiding these vulnerabilities from publication in the data that we saw. There were two really good examples that we came across, where you can very clearly see the delay and what happened as a result of the delay. The first example was a CVE that came out in 2017 — it's 2017-0199. That CVE was a really high threat. It was a CVE for a Microsoft Suite product. Exploits for it have been used since it was originally released in April, and it's been really heavily utilized by threat actors.

So, in this publication lag that we observed, we saw it get published by the U.S. NVD in April, and then it didn't get published by the CNNVD until June. In that time period, in that lag, what we saw was a Chinese APT group actually using that vulnerability. They'd developed an exploit for it, and were actually using that vulnerability to target some Russian groups.

There's one case, right there, where during that publication lag, Chinese intelligence services were actually using this vulnerability — an exploit for this vulnerability — offensively in their own cyber operations. That was one vulnerability. Another vulnerability that we identified was a vulnerability for Android software, and it was essentially a backdoor that was developed by a Chinese company. This backdoor and this vulnerability had the longest publication lag for any CNNVD vulnerability. It was over eight months from the time that NVD published it to the time that the CNNVD published it. During that eight-month time period, there were a number of investigations — one by the New York Times, for example, that was able to tie this company and this particular vulnerability to Chinese government surveillance organizations.

We really felt like this, in addition to all of the data analysis, that these two examples were really clear examples of how the MSS was using its position, running the CNNVD for its own sort of secrecy and intelligence mandate.

Dave Bittner:

Help me understand. Would researchers in China … Would they have access to our NVD, or is access to that restricted?

Priscilla Moriuchi:

I don't think it's restricted in China, but a lot of researchers don't speak English, for example. Many people would honestly not think to check other sources because they don't realize that China's NVD data is being manipulated, which we'll go into later. There's another aspect to this, which is that Chinese companies can sign up for access via an API, right? So, automated access to China's NVD. They may not even realize that there's a lag going on if they're not really in the world of discovering vulnerabilities.

Dave Bittner:

So, if you all concluded there's this lag going on with some of these vulnerabilities — come to these conclusions — in your mind, that's a way to track which vulnerabilities China is interested in exploiting for their own use. Then it gets a little more interesting from there.

Priscilla Moriuchi:

Yeah, so, we did that research and we decided to take a look at it again last month to do a six-month follow-through to see if anything had changed. We reexamined the data from the NVD side, and for example, we saw that the U.S. NVD had gotten a little faster. So, the average delay had dropped from 33 days to 27 days, which is good. The NVD was also catching up on the backlog of unpublished CVEs. They had published almost 1,000 CVEs in just a couple of months of that backlog, so that was quite good. Then, we took a look at the CNNVD data, just trying to see what they had and if anything had changed. What we discovered was, we started looking at the initial publication dates for these outlier CVEs and we realized that instead of trying to remove the MSS or the influence of security services over this transparency process, they tried to cover it up by backdating the initial publication date of 99 percent of the CVEs that we identified.

So, if we go back to the two examples that I called out earlier, the Microsoft Suite vulnerability and the Android vulnerability, when we originally queried these vulnerabilities in the CNNVD, back in October, you see the publication date they have listed was June 7. That allows for a publication lag on the Microsoft one. For the Android one, the publication date they had listed was in September. When we checked both of those vulnerabilities again, we realized that they had changed the initial publication date to match the NVD's publication date. So, essentially, they tried to wipe out evidence of this evaluation process and hide, or obfuscate, which vulnerabilities the MSS might be utilizing in their offensive operations. They sort of tacitly confirmed that they're actually using the CNNVD as a kind of experiment testing ground for vulnerabilities that they could find useful. They're trying to hide the evidence of this process and, we think, limit the methods in which cybersecurity researchers and professionals can use to try and anticipate Chinese APT behavior.

Dave Bittner:

Have they changed the way that they're publishing new vulnerabilities? In other words, are they now publishing them with the backdating baked in from the outset?

Priscilla Moriuchi:

No. So, that's the funny part. It seems, at least from this first examination of ours, that they sort of did it in one bulk update. So, they looked at the methodology that we used. We didn't publish all of the CVEs by number — the ones that we had identified — we just published our methodology. They would have had to repeat our methodology in order to backdate only those CVEs. We also discovered that ... So, we published that blog back in November, and all of these outlier CVEs that were published before November 2017 were all backdated, but outlier CVEs published after November 2017 were not.

So it's either a one-time attempt to scrub what we found, at Recorded Future, in trying to get rid of that evidence for that process or two, they may periodically update or backdate those publication dates, or three, in the future they could just publish fraudulent dates to begin with. That would be much trickier to track. It's still kind of new for us in terms of how we're trying to track the changes and the data manipulation that they're conducting, but yeah, it's an interesting response.

Dave Bittner:

So, take us through why this matters. How does this affect security researchers?

Priscilla Moriuchi:

For security researchers, it's going to be a little bit more difficult to anticipate, at least from the MSS and vulnerability side, which vulnerabilities the MSS may be using. But I think more broadly, we're sort of talking about a system ... China's manipulation of their NVD data fits into this larger M.O. that they have, which is data control. Controlling the data of their own citizens, of foreign companies within the country, and how that impacts foreigners and particularly, Westerners, or those of us who are listening here.

It takes you back to research that we'd done earlier on China's cybersecurity law, which is kind of like their information control law, and how that requires Western companies, for example, to submit to these reviews that are run by the MSS, of their technology. We really see this data manipulation by the CNNVD as all part of this larger system of control that China's imposing, not just on its own people, but on anyone, any company, any entity that does business or travels to China. That's meaningful for all of us, really, because we all use products from large, multinational companies. Products that have, store, and use our data, for example. It could be a privacy concern for some people in the future. This is sort of just one thread of the larger story about how China is controlling their information and manipulation of the domestic Chinese information environment, and how it can affect the whole world.

Dave Bittner:

One of the interesting things you pointed out in the research was that there's the potential for there being a liability issue for companies who rely on CNNVD data. Can you take us through that?

Priscilla Moriuchi:

Yeah, so, say you're a company and your sole source of information is CNNVD data. If we take that Microsoft Suite vulnerability as an example, the 0199, it was initially published to the public in April, right? However, we have seen that there was an exploit that was developed for that vulnerability as early as April and May, but China didn't publish that vulnerability until June. So, if you are a Chinese company that was relying on Chinese data, then your company did not know about that vulnerability until June, when the rest of the world knew about it back in April.

When the CNNVD went back and changed the date on that … If you had an incident somewhere in that lag between April and June, if you go back, it would look like your company had known about that vulnerability, but chose not to remediate. Where in reality, your company didn't know about that vulnerability because you were using CNNVD data and you had no way to remediate it. So, sort of depending on the data, the breach, and the country, this data manipulation could put companies at risk — even further risk — for things like fines or legal action resulting from an intrusion.

Dave Bittner:

From a big picture point of view, what does this do in terms of relying on the CNNVD as a source of data for these sorts of things?

Priscilla Moriuchi:

From our perspective, it makes the CNNVD a very unreliable source. When we initially examined them, we saw that they use a sort of pull methodology. They pull vulnerabilities, and they seek out information about vulnerabilities in a different way than NVD. NVD relies on submissions. That was an interesting way, and we felt that at the time, it was a more comprehensive way to catalog and publish vulnerabilities. But when you couple that with both this data manipulation and the unreliability of their data? You know, from our prospective, it can't be a sole source for companies to rely on anymore because that data could be manipulated, and it could put them in a myriad of risk from all these different angles.

Dave Bittner:

Have there been any signs of any other manipulation other than the publication dates? Have there been any changes to any other data in the threat assessments?

Priscilla Moriuchi:

Not that we've seen. It seems to be a very — at this point — limited response to what is probably like a data leakage. It's evidence of them changing data to hide the involvement of the MSS, and it seems, right now, just to be an attempt to control that information leak. We're definitely going to keep an eye on it in the future. There are some other methodologies that we can still use to track which vulnerabilities are being used and explored in this assessment process by the MSS.

Dave Bittner:

What are your recommendations for security professionals, given this information? How should they proceed going forward?

Priscilla Moriuchi:

So, if as a professional, you're interested in what Chinese APTs might be using to exploit networks in the future, one of the things you can do is query the CNNVD database and keep track on your own, or through Recorded Future because we do it as well — the publication dates for CVEs. So, for example, if you see a CVE that's been published in NVD, but after a month has still not been published in the CNNVD, then I would flag that CVE as possibly interesting to the MSS. Then I would raise the risk profile of that CVE.

For example, one of our future lines of analysis will be … There are a number of CVEs that have never been published by China that are in the U.S. NVD. That is also kind of a suspicious set of CVEs for us that we're going to be looking into. You know, what does that mean, if the CNNVD never publishes it? For foreign companies doing business in China, where you have a sort of multifaceted risk environment, you've got this draconian cybersecurity law, right? That was passed back in June. That requires a number of security controls, and for companies to keep data on Chinese citizens within the country.

You have the MSS administering the review of the national security review, part of the cybersecurity law. You have the MSS, at the same time, running multiple threat actor groups that are targeting foreign companies. You have the MSS running China's National Vulnerability Database, and then kind of cherry-picking vulnerabilities for them to use in their own operations. I guess the bottom line for companies is that the risk environment in China is expanding, but it's expanding because they're being required by law to cooperate with entities like the MSS. It just creates a whole new set of complications for foreign companies.

Dave Bittner:

Our thanks to Priscilla Moriuchi for joining us.

You can read the complete report "China Altered Public Vulnerability Data to Conceal MSS Influence" on the Recorded Future website.

If you enjoyed this podcast, we hope you'll take the time to rate it and leave a review on iTunes. It really does help people find the show.

Don't forget to sign up for the Recorded Future Cyber Daily email, where every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you'll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media, with Editor John Petrik, Executive Producer Peter Kilpe, and I'm Dave Bittner.

Thanks for listening.