If the United States wishes to compete in cyberspace, it must compete against China to secure its offensive cyber supply chain.

Strategic competition between the United States and China has long played out in cyberspace, where offensive cyber capabilities, like zero-day vulnerabilities, are a strategic resource. Since 2016, China has been turning the zero-day marketplace in East Asia into a funnel of offensive cyber capabilities for its military and intelligence services, both to ensure it can break into the most secure Western technologies and to deny the United States from obtaining similar capabilities from the region. If the United States wishes to compete in cyberspace, it must compete against China to secure its offensive cyber supply chain.  

This report is the first to conduct a comparative study within the international offensive cyber supply chain, comparing the United States’ fragmented, risk-averse acquisition model with China’s outsourced and funnel-like approach.  

Key findings: 

• Zero-day exploitation is becoming more difficult, opaque, and expensive, leading to “feast-or-famine” contract cycles. 
• Middlemen with prior government connections further drive up costs and create inefficiency in the US and Five Eyes (FVEYs) market, while eroding trust between buyers and sellers.  
• China’s domestic cyber pipeline dwarfs that of the United States. China is also increasingly moving to recruit from the Middle East and East Asia. 
• The United States relies on international talent for its zero-day capabilities, and its domestic talent investment is sparse – focused on defense rather than offense.  
• The US acquisition processes favor large prime contractors, and prioritize extremely high levels of accuracy, trust, and stealth, which can create market inefficiencies and overly index on high-cost, exquisite zero-day exploit procurements. 
• China’s acquisition processes use decentralized contracting methods. The Chinese Communist Party (CCP) outsources operations, shortens contract cycles, and prolongs the life of an exploit through additional resourcing and “n-day” usage.    
• US cybersecurity goals, coupled with “Big Tech” market dominance, are strategic counterweights to the US offensive capability program, demonstrating a strategic trade-off between economic prosperity and national security. 
• China’s offensive cyber industry is already heavily integrated with artificial intelligence (AI) institutions, and China’s private sector has been proactively using AI for cyber operations. 
• Given the opaque international market for zero-day exploits, preference among government customers for full exploit chains leveraging multiple exploit primitives, and the increase in bug collisions, governments can almost never be sure they truly have a “unique capability.”   

Recent iPhone models have additional hardware-based security protection for sensitive regions of the kernel memory. We discovered that to bypass this hardware-based security protection, the attackers used another hardware feature of Apple-designed SoCs.

Last week Google’s Threat Analysis Group (TAG), in partnership with The Citizen Lab, discovered an in-the-wild 0-day exploit chain for iPhones. Developed by the commercial surveillance vendor, Intellexa, this exploit chain is used to install its Predator spyware surreptitiously onto a device.

In response, yesterday, Apple patched the bugs in iOS 16.7 and iOS 17.0.1 as CVE-2023-41991, CVE-2023-41992, CVE-2023-41993. This quick patching from Apple helps to better protect users and we encourage all iOS users to install them as soon as possible.

The three zero-day flaws addressed by Apple on September 21, 2023, were leveraged as part of an iPhone exploit chain in an attempt to deliver a spyware strain called Predator targeting former Egyptian member of parliament Ahmed Eltantawy between May and September 2023.

"The targeting took place after Eltantawy publicly stated his plans to run for President in the 2024 Egyptian elections," the Citizen Lab said, attributing the attack with high confidence to the Egyptian government owing to it being a known customer of the commercial spying tool.

With 70 zero-days uncovered so far this year, 2023 is on track to set a new record.

Spyware is sold to countries including Egypt, Indonesia, Oman, Saudi Arabia, and Serbia.
Smartphone malware sold to governments around the world can surreptitiously record voice calls and nearby audio, collect data from apps such as Signal and WhatsApp, and hide apps or prevent them from running upon device reboots, researchers from Cisco’s Talos security team have found.

Google’s Threat Analysis Group (TAG) tracks actors involved in information operations (IO), government backed attacks and financially motivated abuse. For years, TAG has been tracking the activities of commercial spyware vendors to protect users. Today, we actively track more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government backed actors. These vendors are enabling the proliferation of dangerous hacking tools, arming governments that would not be able to develop these capabilities in-house. While use of surveillance technologies may be legal under national or international laws, they are often found to be used by governments to target dissidents, journalists, human rights workers and opposition party politicians.

Information about 0-days exploited in-the-wild!

We identified 80 zero-days exploited in the wild in 2021, more than we've seen in any year.

A Year in Review of 0-days Used In-the-Wild in 2021