Chinese intelligence agencies are doctoring the Chinese National Vulnerabilities Database (CNNVD) to hide security flaws that government hackers might have an interest in, according to a report released on Friday by US threat intelligence firm Recorded Future.
The US company says it noticed in recent months mass edits to the CNNVD website. Recorded Future says CNNVD operators have been backdating the publication dates for hundreds of vulnerabilities.
The backdating operations started after the publication of a Recorded Future report in November last year in which Recorded Future described how CNNVD delays the disclosure of critical bugs to give Chinese cyber intelligence agencies the time to evaluate the operational utility of said vulnerabilities.
Recorded Future has been taking snapshots of the CNNVD website in the past year and has detected backdating edits to at least 267 critical vulnerabilities.
For example, the publication data of CVE-2016-10136, a vulnerability in the Adups firmware included with many smartphones has been backdated 235 days, while the Office CVE-2017-0199 vulnerability has been backdated 57 days.
"CNNVD’s manipulation of its vulnerability publication data ultimately reveals more than it conceals," the Recorded Future team says.
"First, the selective backdating of vulnerability publication for the outliers is essentially a tacit confirmation from CNNVD of their vulnerability evaluation program and the operational use of some delayed vulnerabilities.
"Second, while many think of the MSS (Ministry of State Security) as primarily a foreign intelligence service, it also has a large, and arguably more important, domestic intelligence mandate."
Recorded Future analysts argue that the delay in disclosure and backdating of critical flaws were most likely carried out to hide security flaws from local companies, those expected to rely on the database for daily patching operations. This was done to aid surveillance of Chinese internal entities.
Nonetheless, experts now believe that because of the new backdating practice, foreign cyber intelligence agencies will have a harder time in spotting the critical flaws that MSS and its hackers are evaluating and pondering for their cyber arsenal. This will make preparing countermeasures much harder for foreign states.
In its November report, Recorded Future also revealed that CNNVD was housed in the same building as China’s Ministry of State Security (MSS), and was most likely under its firm control.
The US cyber intelligence firm had previously revealed that MSS was in charge of China's international hacking efforts, and was commanding Chinese-linked APT groups through government contractors —such as APT3.
Chinese officials have also recently banned Chinese security researchers from attending a foreign security conference, hoping to keep them from disclosing security flaws to western firms.