China’s intelligence agency is altering its public vulnerabilities database to hide security flaws that its spies can use, according to research released last week by US threat intelligence analysis firm Recorded Future.
The researchers found that China’s National Vulnerability Database (CNNVD) – which alerts the public to software loopholes that could allow data to be stolen – was updated much more quickly than its US counterpart, which relies on reports from the industry. The CNNVD casts a wider net and reports on the basis of web reports from outside the industry, should external reports come first.
However, there are exceptions. Some of the most dangerous threats were reported unusually late by the CNNVD, researchers found. The delay was usually a matter of weeks but, in one case, was eight months.

The researchers were able to establish that – in one case of a delayed report – the vulnerability was being used by state-sponsored hackers to spy on the Russian telecommunications industry and financial firms in Central Asia.
Another long-delayed report concerned a bug in mobile phone software which was exploited to send large quantities of data in the direction of China and could also have been used to collect data on domestic mobile phone users.
The researchers noted that the CNNVD is compiled by the China Information Technology Evaluation Center (CNITSEC) – an office of the Ministry of State Security, which is in turn responsible for domestic and international spying.
They also said that the CNNVD has taken to backdating its reports of vulnerabilities in a vain attempt to conceal from observers which ones have been kept quiet. It reportedly did so 267 times.

The report concluded that prudent computer owners will use reports from both the US and Chinese agencies to head off hackers. But for IT firms operating in China itself, that may not be an option.
In its report of the discoveries, IT specialist website The Register concluded that “for a foreign multinational company to comply with all the provisions of [China’s Computer Security Law] means (in effect) co-operating with Chinese security and intelligence services.”
Not-for-profit, run by journalists and completely independent. Contribute to our critical month-long HK$1m Funding Drive, help safeguard our independence and secure our operations for another year. Read how carefully we spend every cent in our Annual/Transparency Report.
