Flag hacking contests at security conferences often serve two purposes: to help participants develop and demonstrate hacking and security skills, and to help employers and government agencies discover and hire new talent.
But one security conference in China may be taking its competition a step further—possibly using it as a secret intelligence operation for participants to gather intelligence in an unknown location.
According to two Western researchers who translated the documents of China’s Zhujian Cup, also known as the National Collegiate Cybersecurity Attack and Defense Competition, one part of the three-part competition, which was held last year for the first time, had several unusual features that suggest it. its purpose may be secret and unusual.
Capture the Flag (CTF) and other types of hacking competitions are often hosted on closed networks or “internet wide”—dedicated infrastructure designed for the competition so that participants do not risk disrupting real networks. This scope provides a simulated environment that mimics a real-world setting, and participants are tasked with finding vulnerabilities in systems, gaining access to certain parts of a network, or capturing data.
There are two major companies in China that are establishing cyber ranges in competitions. Most of the competition flags the company that designed their range. Notably, the Zhujian Cup did not mention any type of internet or cyber range provider in its documentation, leaving researchers to wonder if this was because the competition was held in a real location instead of a simulation.
The contest also required students to sign a document agreeing to a few unusual conditions. They were forbidden to discuss the nature of the tasks they were asked to do in the competition with anyone; they had to agree not to destroy or disrupt the intended program; and at the end of the competition, they had to remove any background material they planted in the system and any data they obtained from it. And unlike other competitions in China the researchers examined, participants in this part of the Zhujian Cup were prohibited from publishing social media posts revealing the nature of the competition or the activities they did as part of it.
Participants are also prohibited from copying any data, documents, or printed materials that were part of the contest; to disclose information about vulnerabilities they have discovered; or exploiting those weaknesses for personal purposes. If the leakage of any of these data or material occurred and caused damage to the organizers of the competition or China, according to the pledge signed by the participants, they can be held legally responsible.
“I promise that if any incident of disclosure of information (or case) occurs due to personal reasons, causing loss or damage to the organizer and the country, I, as an individual, will be legally responsible according to the relevant laws and regulations,” the oath says.
The competition was hosted last December by Northwestern Polytechnical University, a science and engineering university in Xi’an, Shaanxi, which is affiliated with China’s Ministry of Industry and Information Technology and has a secret permit to conduct work for the Chinese government and military. The university is controlled by China’s People’s Liberation Army.