Security researchers have claimed that the Chinese authorities are trying to disguise their efforts to research public vulnerabilities for use in state hacking.
Recorded Future has released several reports on the work of China’s National Vulnerability Database (CNNVD), which it claims is “essentially a shell” for the powerful Ministry of State Security (MSS).
The CNNVD tends to publish vulnerabilities far quicker than the US equivalent, the National Vulnerability Database (NVD), taking just 13 days from the initial disclosure versus 27 days in the US. The CNNVD captures 90% of all flaws within 18 days, while the NVD takes 72 days because it relies on voluntary submissions from vendors, it concluded.
However, the researchers discovered that in some outlying cases, the NVD is much quicker to publish, sometimes twice as fast.
On further investigation, it claimed to have found an attempt by the Chinese authorities to backdate the original publication dates for these vulnerabilities, in a bid to obfuscate its offensive cyber-operations.
“We discovered that 267 of the 268 CNNVD original publication dates had been altered since November 2017 with an average backdate of 57 days. Each date was changed post-publication to approximate or beat NVD’s publication date,” the report noted.
“This systemic retroactive alteration of original publication dates by CNNVD is an attempt to hide the evidence of this process, obfuscate which vulnerabilities the MSS may be utilizing, and limit the methods researchers can use to anticipate Chinese APT behavior. There is no other logical explanation as to why only the initial publication dates for outlier CVEs would have been altered.”
Recorded Future warned companies relying solely on the CNNVD, especially those within China or the Asia region, that they could be exposing themselves to unnecessary extra risk.
“This data manipulation reinforces the dominance of the secrecy mandate over transparency in China,” it concluded. “Instead of taking steps to remove the undue influence of secrecy and the intelligence services over vulnerability reporting, CNNVD has gone the opposite way and sought instead to further conceal that influence.”