US intelligence said that the Chaos iPhone remote takeover exploit was used against the minority Uyghurs ethnic group before Apple could patch the problem.
In 2019, a Chinese security researcher working with the internet security & antivirus company Qihoo 360 unveiled an intricately woven exploit: One that would allegedly let a remote attacker easily jailbreak an iPhone X iOS 12.1.
The researcher, Qixun Zhao, dubbed the exploit Chaos, for good reason. As this proof-of-concept video allegedly shows, a successful exploit would allow a remote attacker to jailbreak an iPhoneX, with the targeted user none the wiser, allowing the intruder to gain access to a victim’s data, processing power & more. It worked as a drive-by malware download, only requiring that the iPhone user visit a web page containing Qixun’s malicious code.
It would have made a superb spying tool, seeing how it would let an attacker easily take control of even the newest, most up-to-date iPhones, enabling a snooper to read a victim’s messages & passwords & to track their location in near-real time.
According to a report published by MIT Technology Review on Thur., that’s exactly what happened: “Virtually overnight,” Chinese intelligence allegedly used the exploit as a weapon before Apple could fix the problem.
The publication commented that, according to its sources, the US has amassed details of how the Chaos exploit was used to hack China’s Uyghur Muslims — a common target of espionage campaigns. The claim is bolstered by earlier reporting: In Aug. 2019, sources told TechCrunch that malicious websites used to hack into iPhones over 2 years were targeting the Uyghurs.
Google security researchers had found & disclosed the malicious websites a week before TechCrunch’s report, but they hadn’t initially known who the malicious sites were targeting. However, they knew that the code looked familiar: In an in-depth examination, Google noted how similar the malicious-sites exploit was to Chaos.
Now, MIT Technology Review has learned that the US had come to the same conclusion, & that it had “quietly” informed Apple. Apple, which had been tracking the attack, had already come to the same conclusion on its own: That the Chaos exploit & the attacks on Uyghurs were “one & the same,” as the outlet puts it.
Prioritising a difficult fix, Apple issued an update to patch the defect in Jan. 2019.
The patch arrived 2 months after Chaos had been unveiled at the inaugural Tianfu Cup:
A Chinese hacking contest that came into being a few months after the country banned its cyber-security research teams from competing in the Pwn2Own hacking competition…or, for that matter, in any global hacking or capture-the-flag competitions.
The ban on researchers attending foreign competitions grew out of a distaste for giving away vulnerabilities – via disclosure in public to conference audiences or to hacking programs in real-time.
Both the ban & the subsequent launch of the Tianfu Cup had followed close on the heels of an announcement from Qixun’s boss – Zhou Hongyi, the billionaire founder & CEO of Qihoo 360 – criticising the export of vulnerabilities that, once made public, can “no longer be used.”
Both the researchers & their know-how should “stay in China,” he cautioned, in order to maximise the “strategic value” of zero days.
In an interview with the Chinese news site Sina, the influential CEO called the achievement of winning cash prizes at foreign competitions “imaginary.”
Qixun Zhao has emphatically denied involvement, telling MIT Technology Review that he could not remember who came into possession of the exploit code following his win – for which he was awarded $200k – at Tianfu Cup.
Google & Apple
Although he suggested that the exploit used against Uyghurs was probably used “after the patch release,” both Google & Apple have documented how it was used before the Jan. 2019 fix.
His exploit shares code from other exploit writers, he said, but Apple & US intelligence sources told MIT Technology Review that the exploits are not similar; in fact, they are the same. Qixun may well not be personally involved, given that Chinese law requires citizens & organisations to cooperate with intelligence agencies when asked.
Scott Henderson, Principal Analyst at FireEye Mandiant Threat Intelligence, explained on Fri. that the reality of the situation is that if China is really doing what reports allege, it is hardly surprising, & it is not just the Uyghurs that are under its microscope.
“It is important to understand that it is a strategic imperative for China to maintain the national integrity and sovereignty of the country’s borders,” he observed.
“In addition to Tibetan & Uyghurs, Beijing also monitors Hong Kong, Taiwan, the Catholic Church, &, in the past, members of the Falungong. It is a persistent problem for human rights organisations, as well as government and private entities that are involved in, or even that comment on, China’s human rights issues.”
Henderson stated, this is not the 1st time that there have been “tangential connections” drawn between a Chinese hacking competition & state-sponsored activity.
E.g., he pointed to Mandiant Threat Intelligence having observed infrastructure related to a Chinese hacking cup event that showed potential connections to a team of threat players it calls TEMP.Avengers & which is a.k.a. Hurricane Panda & Black Vine.