This video provides an in-depth exploration of China's rapid ascent to becoming a global cyber superpower, focusing on the development and scale of its state-sponsored hacking and cybersecurity industry. It charts the evolution of Chinese cyber operations, including direct attacks on foreign infrastructure and the carefully cultivated ecosystem of hackers. Through leaked documents and high-profile hacking competitions, viewers learn how China integrates vulnerabilities into its military and intelligence strategies, and how its approaches differ from more decentralized Western models.

The video is particularly fascinating for those interested in cybersecurity, technology policy, and international affairs, as it illuminates not just the techniques and goals of Chinese hackers, but the broader governmental ambitions behind these operations. Comparisons with the US and other countries help contextualize the scale and coordination of China's cyber activities. Real-world demos and expert insights make the threats posed by sophisticated hacking—like those affecting EV chargers and critical infrastructure—more tangible and urgent.

Key takeaways from the video:

💡
The Chinese government systematically cultivates and deploys hacking talent as part of its national security and intelligence apparatus.
💡
vulnerabilities found in competitions or industry are often immediately passed to the Chinese government, sometimes for use in surveillance or cyberwarfare.
💡
Efforts to coordinate international norms and responsible disclosure are increasingly vital as cyber warfare threatens not only national security but civilian infrastructure and public safety.
Please remember to turn on the CC button to view the subtitles.

Key Vocabularies and Common Phrases:

1. infiltrate ['ɪnfɪltreɪt] - (verb) - To secretly enter or gain access to a place or organization, often to acquire secret information or cause harm. - Synonyms: (penetrate, slip into, invade, breach)

As long as there have been computers, there have been people finding ways to infiltrate them, manipulate them, and disrupt them.

2. espionage ['espiənɑːʒ] - (noun) - The practice of spying or using spies to obtain secret information, usually for political or military purposes. - Synonyms: (spying, surveillance, reconnaissance, intelligence gathering)

Cyber espionage is really a normal fact of life.

3. pervasive [pər'veɪsɪv] - (adjective) - Spreading widely throughout an area or a group of people, often with a negative connotation. - Synonyms: (widespread, rampant, prevalent, omnipresent)

The other particularly unique element that is revealed in the ISOON documents is how pervasive hacking is in the Chinese state.

4. systemically [sɪsˈtɛmɪkli] - (adverb) - In a way that affects an entire system; methodically or comprehensively. - Synonyms: (structurally, comprehensively, methodically, thoroughly)

China has, over the last 20 years, systemically tried to grow and shape its hacker ecosystem into something that it can plug directly into its cyber operations.

5. vulnerabilities [ˌvʌlnərəˈbɪlɪtiz] - noun (plural) - Weaknesses that can be exploited to cause harm or unauthorized access within systems, particularly in computing. - Synonyms: (weak spots, flaws, loopholes, susceptibilities)

Their goal is to find weaknesses or holes in software known as vulnerabilities and exploit them for a cash prize.

6. prowess ['praʊɪs] - (noun) - Exceptional ability or skill in a particular activity or field. - Synonyms: (expertise, competence, mastery, skill)

They really saw PWN to own as an opportunity to show their research prowess.

7. curriculum [kə'rɪkjələm] - (noun) - The subjects comprising a course of study in a school or college. - Synonyms: (syllabus, course of study, program, subjects)

From 2015 to 2017, the government put a bunch of policies in place at universities that improved the cybersecurity degree curriculum.

8. obliged [ə'blaɪdʒd] - adjective (used as verb, past participle) - To be required or compelled to do something, especially by law, morality, or necessity. - Synonyms: (required, compelled, forced, mandated)

Researchers and companies are not legally obliged to disclose information to them.

9. decentralized [ˌdiːˈsɛntrəˌlaɪzd] - (adjective) - Distributed across several locations or authorities, rather than being controlled by a single center. - Synonyms: (dispersed, distributed, diffused, scattered)

In the United States, the hacker competitions are far more decentralized than they are in China.

10. mitigating ['mɪtɪˌɡeɪtɪŋ] - verb (present participle) - Making something less severe, serious, or painful. - Synonyms: (alleviating, reducing, lessening, easing)

In fact, when it comes to mitigating risks against Chinese hacking activity, it's not very likely that you're going to prevent a Chinese hacker from wanting to keep doing what they're doing.

How China Is Building an Army of Hackers

As long as there have been computers, there have been people finding ways to infiltrate them, manipulate them, and disrupt them. Massive and ongoing Chinese hack Investigating a hacked Chinese hack of major telecommunications companies. Cyber espionage is really a normal fact of life. But the growth and intensity of China's cyber security industry, including its hacking, has taken the world by surprise. China has gone after electrical grids, water treatment facilities, and telecoms associated with the United States critical infrastructure. The Chinese may not be as sophisticated as the United States, but on every level, China has been moving with substantial determination.

Last year, a Chinese cybersecurity firm had its secrets basically leaked online. It was really astonishing because it gave us an insight into the inner workings of Chinese cybersecurity. China has, over the last 20 years, systemically tried to grow and shape its hacker ecosystem into something that it can plug directly into its cyber operations. Their goal in accessing and maintaining access to those systems is to provide military leadership the option to stop their function.

Okay, let's get started. Are you ready? Yes, sir. Let's take it off in 5, 4, 3, 3, 2, 1. This is one of many global hacking competitions since 2007. PWN2Own has attracted some of the world's best hackers or researchers. Not all hackers are criminals with malicious intentions. With a focus on real world devices. Their goal is to find weaknesses or holes in software known as vulnerabilities and exploit them for a cash prize. And now you can see inside the RF enclosure. This year we're doing EV chargers, including the Tesla wall connector. Many people don't realize that an EV charger actually can communicate to a vehicle and vice versa.

Let's say you pull up to a charger and you just plug in your car. You come back later, your car's charged, you drive off. Now, unbeknownst to you, your vehicle was comprom. A few days later you might need to charge again. Then you went to a second charging station and your vehicle compromised a second EV charger. So it keeps spreading and spreading and spreading. And once you take over a vehicle like that, you can do a lot of different things. You could potentially mess with systems that really operate the function of the car. And in the worst case scenario, you could take over the autopilot of one of the self driving cars and actually cause a wreck with the self driving capabilities. So that's one of the things that we were really looking to see this year, not to just get bugs identified, but to get them fixed before they're exploited by someone on the black market.

We have a success. They were able to get it on their second attempt. So they will head off to the disclosure room, talk about all of the details. Once escorted off stage, this hacking team must then share the vulnerabilities they found directly with the company, in this case, Tesla. From the minute it's done, the vendors are able to start working on fixes.

Teams from 13 countries, including Vietnam, France, Germany and North America are taking part, but none from China. There was a time, however, when Chinese teams were an unstoppable force. Teams From Tencent and 360 and Kuihu, they did very well in years past, and they really saw PWN to own as an opportunity to show their research prowess. They stopped in 2018 after the Chinese government decided to restrict Chinese teams being able to compete in competitions outside of China. This absence from international competitions was one of several government policies that many cybersecurity experts believe is part of a broader strategy developing in China for over a decade.

When Xi Jinping comes into power in 2013, Edward Snowden had already leaked documents from the NSA detailing US offensive capabilities. They're watching the Arab Spring happen. They are very aware that regime instability can occur from lack of control over content on the Internet. They made a decision to really go deep and hard on this and invested in their talent, invested in their programs, invested in their tech. From 2015 to 2017, the government put a bunch of policies in place at universities that improved the cybersecurity degree curriculum. In 2018, they started promoting hacking competitions through government ministries. They ended up spinning up a very famous hacking competition called Tianfukup. The difference between Tianfu cup and other international hacking competitions was that Tianfukup would take vulnerabilities and feed them straight into the Chinese intelligence community. So say you, a Chinese researcher, have a really cool vulnerability that you found in the iPhone, and you exploit it at this competition. The organizers of that competition will take that very cool iPhone vulnerability and send it to the Chinese police, who will then use it to spy on the Uyghur population in Xinjiang. We know that that happened back in 2021.

And finally, in 2021, they rolled out a policy that has not been matched anywhere else in the world. The regulation on the management of software vulnerabilities requires businesses, quote, doing business in China to provide software vulnerabilities to the government within 48 hours of them becoming aware of them. That means the government gets almost immediate access to newly discovered vulnerabilities. The Chinese Ministry of Foreign affairs has stated that the regulation's aim is to prevent the leakage and unauthorized disclosure of vulnerable information. It also supports reporting these vulnerabilities to the product providers directly. While the US Government is also known to collect vulnerabilities, researchers and companies are not legally obliged to disclose information to them. We're talking about agencies like the Central Intelligence Agency and the National Security Agency who have discovered vulnerabilities that they don't want to reveal so that they can attack systems in other countries. China's the same in many ways.

Chinese and US hacking teams have similar goals. They want to control the information environment. They're also potentially preparing their military for cyber action in the event of an attack. As part of that strategy, and to compete alongside other cyber superpowers, China's state sponsored hacking competitions have grown significantly. In the United States, the hacker competitions are far more decentralized than they are in China. But in the Chinese case and in hacker competitions globally, is that really amazing talents are regularly exposed and then sucked up by the intelligence agencies or by clever corporations.

According to an Atlantic council report, 129 different hacking competitions have occurred in China since 2004, with most starting after Xi Jinping came into power, the largest of which was the state sponsored Wong ding Cup, hosting 35,000 participants.

In 2024, the world was offered a rare glimpse into this hacking ecosystem through a purported data leak from Chinese cybersecurity firm isoon, a leak that industry experts believe to be authentic. The documents posted to code sharing site GitHub seem to suggest the Chinese government contracts smaller private firms to hack on its behalf. There were some pretty interesting documents that showcased the hackers inside ISOON doing the operations themselves. There's chat logs between multiple engineers in isoon over WeChat going, hey, do you think you can get into this system? The person responds with, yeah, like 80% chance and if I don't get in, I'll leave immediately. And then a couple of seconds later you see the chat bubble go mail server, mail server. Meaning that they got into the Outlook inbox of whoever they were hacking at the time.

The other particularly unique element that is revealed in the ISOON documents is how pervasive hacking is in the Chinese state. State ISOON itself had contracts not just with national or provincial law enforcement, but also city law enforcement branches. This is the equivalent of the Pittsburgh or Cincinnati Ohio Police Department contracting out services to a bunch of hackers. It showed the link between not only the cybersecurity firms with the government, but also the through line from these hacking contests and the vulnerabilities that they discover going to to a lot of these firms that they then use to ostensibly hack on behalf of the Chinese government. ISUN employees and government officials have now been charged by US Prosecutors.

Chinese hackers busted. The department is accusing China's intelligence services of hiring the suspect to target specific victims with these cyber attacks. In response, China has denied involvement with ISUN and accused the US of conducting its own cyber espionage attacks. The tensions between the US and China have really rippled across the world and a lot of the consequences of that have taken the form of cyber espionage campaigns and disruption campaigns. The targets include phone companies and state agencies in India, Malaysia and Taiwan, as well as the British government and a couple of think tanks in London. According to news reports in the last year, two suspected Chinese state backed hacking groups have been identified in US infrastructure. One called Salt Typhoon by Microsoft, was alleged allegedly tied to a breach of the US treasury as well as telecommunication networks. So Verizon, AT&T Lumen had call data and call records taken of many US Citizens that were already in the hands of that company.

Meanwhile, the FBI says another group known as Vault Typhoon has also infiltrated critical infrastructure. The term that the experts use is called living off the land. So you can't see them because they're not doing anything out of the ordinary. They're existing within the environment that they have embedded themselves into. So that makes them really, really hard to detect.

Hi, are you Jamie? Hi, nice to meet you. Kate. Nice to be going. Dragos is a, a US based industrial control system security firm with miniature facilities that simulate how critical infrastructure could be hacked. It's all connected through, you know, networks for the most part, and some of these could be accessible from the Internet. That's kind of a large vulnerability to it. What I have set up here is just a computer that's outside of the network. It's trying to get into the network and just using the tools that are available on the laptop, just figuring out how to get into this system. So I'm just checking if normal remote access tools are going to be available and log in as though I were the operator and adjust the water flow. So here you'll see it. An intruder in key systems opens up countries to potential disruption attacks, crippling them in times of conflict or unrest.

So let's say the electricity has been compromised and now no one has power in the city. You may have a generator backup that uses oil, but your oil refinery now has no power, so you're not making any more oil either. So it kind of has this domino effect where even your backups or the things that power your backups will slowly become unavailable as resources run out. So the hospital would be in trouble. They should have generators. But yes, they would be in trouble within a day. And all the other kind of critical services would also be impacted. Yeah.

Experts say a recent Vault Typhoon hack on the US Territory of Guam, which has the closest military base to Taiwan, may be part of a strategic cyber warfare plan. According to a Bloomberg investigation, hackers hit telecom, federal and military networks and may never fully be removed. Having Guam's systems be impacted in that way has really poured out the signal that the military forces in the US May be disabled from being able to respond in a way that is immediate and urgent. The United States information and communications technology sector has been booming for about 50 to 70 years. The Chinese telecommunications sector has been booming for about 20 years. It's pretty hard to imagine that China could have overtaken the United States.

China distinguishes itself mostly by the scale of its operation, by the way in which it penetrates almost anything to quantify what we're up against. The PRC has a bigger hacking program than that of every major nation combined. In fact, when it comes to mitigating risks against Chinese hacking activity, it's not very likely that you're going to prevent a Chinese hacker from wanting to keep doing what they're doing. However, being able to push for more international norms around responsible disclosure, around making sure that technology stays safe online, is a really important policy position that Western governments are trying to continue to push. Sam.

CYBERSECURITY, TECHNOLOGY, GLOBAL, HACKING, ESPIONAGE, INFRASTRUCTURE, BLOOMBERG ORIGINALS