LogoLogo

Podcasts

Newsletters

Videos

People

About

Search

Seriously Risky Business Newsletter

June 26, 2025

Comparing the American and Chinese 0day Pipelines

Written by

Tom Uren
Tom Uren

Policy & Intelligence

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray . It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Authentik .

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed .

Valley of Death

A new report from the Atlantic Council suggests the US needs to strengthen its exploit development pipeline if it wants to remain competitive in cyberspace. 

That report, Crash (exploit) and burn , compares how the 0day supply chain approaches differ between China and the United States. 

The author interviewed security researchers, national security and intelligence officials, and senior leaders from offensive hacking and vulnerability research companies in the Five Eyes countries.

As a result, the portion that sketches out the US acquisition pipeline is excellent.  

Unsurprisingly, it says finding exploitable 0days is difficult and getting harder. When it comes to a government acquisition pipeline, the report identifies several factors that amplify this problem. 

Current government contracting practices favor large prime contractors and focus the procurement of very reliable exploits that can be used with very little risk of discovery. There's also a heavy compliance burden on contractors. The result is a very narrow acquisition funnel. Buyers end up with exquisite, but very expensive 0days.

The report also identifies gaps in US training pathways:

Moreover, few university programs produce engineers ready to write fully functioning exploits. Multiple vulnerability research firms interviewed referenced a "training valley of death," where entry-level engineers out of university still require a year or more of talent development before they can produce a marketable product. While some intermediate-level trainings exist in companies or at conferences, they are currently insufficient—in either technical depth or timeframe.

By contrast, the report says China has a:  

…comprehensive and deliberate feeder system from universities, cybersecurity conferences, and hacking competitions into the Chinese offensive cyber apparatus. Chinese military universities and high-end science and engineering schools produce high-caliber graduates in deeply applied offensive cybersecurity research, some of whom are encouraged to develop final projects that involve hacking into US companies. Many of them, upon graduating, either work on offensive teams of existing offensive security firms, found an offensive cyber start-up, or work directly for high-end teams in China’s Ministry of State Security (MSS) or People’s Liberation Army (PLA).

The section on China's acquisition pipelines is less insightful. It describes what Americans think about China's pipeline, rather than sourcing information directly from Chinese experts. That would be difficult in the current climate, we admit. 

Still, the report makes a compelling argument that America's 0day acquisition processes are no longer fit for purpose. American agencies need to make some serious changes to strengthen the 0day supply chain, like improving procurement processes and filling in the talent pipeline.

This Isn't the Cyber War We Were Promised

American cyber capabilities have been used to directly support military operations in Iran, but almost certainly in the most boring way possible.

At a Defense department briefing, Joint Chiefs of Staff Chairman General Dan Caine said that US Cyber Command (USCYBERCOM) had supported US bomber strikes against Iranian nuclear facilities . He didn't provide details of what that support consisted of, although DefenseScoop speculated on the possibilities. 

The most sensational of DefenseScoop's suggestions is that USCYBERCOM was monitoring Iranian air defense systems and was poised to disable them if incoming aircraft were detected. At the Pentagon briefing Caine said that "Iran's fighters did not fly and it appears that Iran's surface to air missile systems did not see us". 

We don't think that's what happened. Axios reported the Israeli Air Force took out multiple Iranian air defence systems in the days leading up to the bombing run. 

It is likely USCYBERCOM's contribution was a bit more mundane. DefenseScoop describes "something akin to a cyber escort package":

That includes backups and failsafes as well as ensuring the Department of Defense’s Information Network is up and running to enable communication. Defensive cyber protection teams would likely ensure infrastructure was up and running and protected from any adversary intrusions or disruptions. That could include teams supporting several combatant commands as well as those protecting the DOD Information Network and Transportation Command, headed by the DOD Cyber Defense Command.

Wow! That sounds as exciting as bus travel! 

We wonder what sort of offensive opportunities USCYBERCOM would even have on Iran's Internet at the moment. 

In the aftermath of recent Israeli-led cyberattacks, Iran's cyber security authority banned senior officials from using internet-connected devices and the government ordered a near total internet shutdown. 

Fatemeh Mohajerani, an Iranian government spokesperson, cited security as a justification for the shutdown. 

"Many of the enemy's drones are managed and controlled via the internet, and a large amount of information is exchanged this way … considering all these issues, we have decided to impose internet restrictions", Mohajeranni said. 

At time of writing, it appears full service has been restored after a total blackout that lasted about three days, with partial interruptions continuing for another four.

I guess that's one way to keep Cyber Command's options limited!

Watch Patrick Gray and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

  1. US goes after USD$225 million in scam cryptocurrency funds: The US Department of Justice announced it has filed a court action to seize the funds. The Department's complaint alleges the funds come from the theft and laundering of proceeds from cryptocurrency confidence scams and "were part of a sophisticated blockchain-based money laundering network that executed hundreds of thousands of transactions". 
  2. Passkeys on Facebook: Meta has announced it is introducing passkeys for Facebook on mobile devices. The passkeys will eventually work on Messenger as well.   
  3. Microsoft to remove legacy drivers: Microsoft has announced it will remove old drivers from the Windows Update system. The idea is to maintain coverage across the hardware used in the Windows ecosystem "while making sure that Microsoft Windows security posture is not compromised". 

Sponsor Section

In this Risky Bulletin sponsor interview, Fletcher Heisler, CEO of Authentik, talks to Tom Uren about the inflection points that make organisations consider rationalising their Identity Providers (IdPs). The pair also discuss sovereign tech stacks and how to earn the trust of customers.

Authentik is an open-source identity provider that is also offered with paid enterprise features. In this demo, CEO Fletcher Heisler and CTO Jens Langhammer walk Risky Business host Patrick Gray through an overview and a demo of the technology.

Shorts

Salt Typhoon Wildfire Continues to Spread

We are gradually learning more about the scope of the Chinese state-linked group Salt Typhoon and its compromise of telecommunications infrastructure. 

This week, the Canadian Centre for Cyber Security warned the country's telecommunications companies are being targeted by Salt Typhoon. It also found evidence that "suggests this targeting is broader than just the telecommunications sector".

Last week, satellite communications company Viasat was identified as one of the group's US-based victims. AT&T, Verizon, Lumen, Charter Communications, Consolidated Communications, and Windstream have also reportedly been affected . 

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed ( RSS , iTunes or Spotify ).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq dive into the motivations and actions of Predatory Sparrow, a purported hacktivist group that has been attacking Iran for the last five years and has leapt into the Iran-Israel work. 

Or watch it on YouTube!

From Risky Bulletin :

Hackers breach Norwegian dam, open valve at full capacity: Unidentified hackers have breached the systems of a Norwegian dam and opened its water valve at full capacity in an incident this April.

The incident took place at the Lake Risevatnet dam near the city of Svelgen in Southwest Norway.

The valve ran at full capacity for four hours before the unauthorized change was detected.

[ more on Risky Bulletin ]

CoinMarketCap hacked via a doodle image: CoinMarketCap—the go-to website where everyone goes to check cryptocurrency exchange rates—was hacked on Friday.

Hackers exploited a vulnerability in CoinMarketCap's animated logo (see CoinMarketCap's doodle obsession here ) to append malicious code that displayed an unauthorized popup.

The popup ran a specialized phishing kit called a "crypto-drainer" that prompted users to connect their crypto-wallet accounts and then stole their funds. The malicious code ran for only a few hours, but according to reports, the hackers managed to steal almost $45,000 worth of assets from over 110 users.

[ more on Risky Bulletin ]

Russian hackers abuse app-specific passwords to bypass MFA: Russian cyber-spies have developed a new social engineering technique designed to extract application-specific passwords from their targets.

Also known as app passwords , or ASPs, these allow attackers to bypass multi-factor authentication and access a victim's Gmail accounts.

App passwords are supported on multiple online platforms, but this campaign specifically targeted Google's ASPs. These are 16-character codes that users manually generate from their Google account security page. They can be copy-pasted inside older apps that don't support Google's more modern 2FA/MFA authentication procedures.

[ more on Risky Bulletin ]3

Recent Newsletters

  • Comparing the American and Chinese 0day Pipelines
  • Risky Bulletin: Hackers breach Norwegian dam, open valve at full capacity
  • Risky Bulletin: CoinMarketCap hacked via a doodle image
  • Risky Bulletin: Russian hackers abuse app-specific passwords to bypass MFA
  • Data Brokers are a Killer's Best Friend

Recent Videos

  • Srsly Risky Biz: Comparing Chinese and American 0day pipelines
  • Risky Business Weekly (797): Stuxnet vs Massive Ordnance Penetrators
  • Overview and Demo: Authentik, an Open Source Identity Provider (IDP)
  • Between Two Nerds: The evil genius of Predatory Sparrow
  • Srsly Risky Biz: Data brokers are a killer's best friend

Recent Podcasts

  • Srsly Risky Biz: Comparing Chinese and American 0day pipelines
  • Risky Business #797 -- Stuxnet vs Massive Ordnance Penetrators
  • Risky Bulletin: Hackers breach Norwegian dam, open valve at full capacity
  • Between Two Nerds: The evil genius of Predatory Sparrow
  • Risky Bulletin: White House rejects nominee for NSA & CyberCom leader
Risky Business Media

Risky Business

  • Home
  • Podcasts
  • Newsletters
  • Video
  • Sitemap

Risky Business Media

  • About
  • People
  • Advertising
  • Sponsor Enquiries: sales@risky.biz

Risky Connections

  • Risky Business on Apple Podcasts
  • Risky Business on Spotify
  • Risky Bulletin on Apple Podcasts
  • Risky Bulletin on Spotify
  • YouTube
  • LinkedIn

Risky Contacts

Risky Business Media Pty Ltd
PO Box 774
Byron Bay NSW 2481
General Email: editorial@risky.biz

© Risky Business Media 2007–2025. All rights reserved.
ABN 73 618 465 517