Capture the Flag hacking contests at security conferences typically serve two purposes: to help participants develop and demonstrate hacking and security skills, and to help employers and government agencies discover and recruit new talent.
But a security conference in China may have taken its contest a step further, potentially using it as a secret spy operation to get participants to gather intelligence on an unknown target.
According to two Western researchers who translated the documentation for China’s Zhujian Cup, also known as the National University Cybersecurity Attack and Defense Competition, one part of the three-part contest, held last year for the first time, had a number of unusual features that suggest its potentially secret and unorthodox purpose.
Capture the flag (CTF) competitions and other types of hacking contests are typically held on closed networks or “cybercamps” (dedicated infrastructure created for the contest so that participants do not risk disrupting real networks). These camps provide a simulated environment that mimics real-world settings, and participants are tasked with finding vulnerabilities in systems, gaining access to specific parts of the network, or capturing data.
In China, there are two major companies that design cyber shooting ranges for competitions. Most competitions name the company that designed their shooting range. Notably, Zhujian Cup did not mention any cyber shooting ranges or cyber shooting range suppliers in its documentation, leading researchers to wonder if this is because the competition was held in a real environment rather than a simulated one.
The competition also required students to sign a document agreeing to a number of unusual conditions: They were prohibited from speaking to anyone about the nature of the tasks they were being asked to perform in the competition; they had to agree not to destroy or disrupt the system in question; and, at the end of the competition, they had to remove all backdoors they had installed in the system and all data they had obtained from it. And unlike other competitions in China that the researchers examined, participants in this portion of the Zhujian Cup were prohibited from posting any messages on social media that revealed the nature of the competition or the tasks they had performed as part of it.
Participants were also prohibited from copying data, documents or printed materials that were part of the contest; disclosing information about vulnerabilities they found; or exploiting those vulnerabilities for personal purposes. If any of this data or materials were to leak and cause harm to the contest organizers or China, participants could be held legally liable under the pledge they signed.
“I promise that if any incident (or case) of information disclosure occurs due to personal reasons, causing loss or damage to the organizer and the country, I, as an individual, will bear legal responsibility in accordance with relevant laws and regulations,” the pledge states.
The contest was organized last December by Northwestern Polytechnic Universitya science and engineering university in Xi’an, Shaanxi, which is affiliated with China’s Ministry of Industry and Information Technology and also has top-secret clearance to perform work for the Chinese government and military. The university is supervised by the Chinese People’s Liberation Army.
