China Software Testing Center

A help desk for offensive teams?

The China Software Testing Center is an organization under the China’s Center for Information Industry Development (CCID), which is itself a think tank of the Ministry of Industry and Information Technology. The CCID oversees at least 20 organizations in addition to the CSTC, and the CSTC is its main functional unit. CCID issues standard setting documents for technology, similar to NIST in the US, but also performs some military-related work for the PLA. CCID’s website even shows its run a Military-Civil Fusion Research Institute, but the link for that organization’s website does not work. Through its constituent parts, CCID employs more than 2,000 experts, more than half of whom hold a relevant graduate degree or higher. CCID also publishes a dozen magazines and periodicals on different technologies for technical audiences.

The China Software Testing Center is home to a spectacular amount of talent in software security, evaluation, and development. Such skills have offensive and defensive implications for cybersecurity. As an institution that publishes many technical standards or standards for the evaluation of systems, these skills are ostensibly only used to improve cybersecurity. Many of the resources published by CSTC, including books and technical documents, can help defenders evaluate products for secure design and function. Indeed, much of the work the CSTC does is to evaluate products for vulnerabilities before they are certified for use in government systems, including the military and intelligence services, but also in infrastructure, banks, vehicle manufacturers, and some foreign firms. Such work likely accounts for the bulk of time, money, and effort expended by the CSTC.

China has a robust system for software vulnerability collection, evaluation, and dissemination. CSTC’s software evaluation and testing engineers get access to software vulnerabilities reported through China’s new mandatory reporting system. The CSTC is one of four organizations that oversee this new collection system, giving the center direct access to this pipeline. For the center’s experts dedicated to software testing and evaluation, this no doubt provides valuable insights. When a vulnerability is reported, they could use such data to provide customers who deploy those systems defensive steps until a patch is available or check that new products coming to market do not contain old vulnerabilities.

It would be a waste to not leverage such talent to help on offensive missions, however. The ability to evaluate and test software—that is, to identify and remediate vulnerabilities, and thoroughly understand the design and function of a particular product—only offensive or defensive when someone decides what to do with the information. As previously stated, much of the work of the center is plainly defensive. But, the contents of the report stand to say that there is, perhaps, offensive applications for the experts and expertise at the China Software Testing Center. In my estimation, they are primarily used for defensive work while serving as an expert “Help Desk” for offensive teams.

Why is that in this book?

CSTC has published many books on a variety of topics, including Intelligence Manufacturing Testing and Evaluation, FPGA Testing and Evaluation, Industrial Robot Testing and Evaluation, and Smart Car Testing and Evaluation.

One book published by the China Software Testing Center suggests the organization receives intelligence products from other government agencies.

Industrial Control System Testing and Evaluation Technology identifies tools used to evaluate and test the security ICS systems. The reference book could help defenders evaluate the security of their facility or allow offensive teams to learn a new domain quickly as a sort-of reference guide. The book, published by CSTC, includes an annotated map of the Idaho National Lab’s SCADA Test Bed. The map of the facility appears to have been originally produced in the US—there is a small notation of an ADA accessible wheelchair ramp in English. But the map has been annotated in Mandarin. The authors note which rooms are classified conference rooms, classified cyber test beds, and identify the “attack and defense practice room.”

The book also states that the Cyber Security Test Bed at INL includes two classified evaluation platforms and a meeting room equipped with audio/visual technology. The authors note the meeting room is locked with a cryptographic lock and keycard access—in other words, a SCIF.

The inclusion of such detailed information about a US national laboratory in a book about technology to evaluate the security of ICS systems in astounding. The book goes on to cover Sandia National Laboratory, Argonne National Labs, Oak Ridge National Laboratory, and Pacific Northwest National Laboratory, and a handful of EU or Japanese labs, though none are covered in as rich detail as Idaho National Laboratory.

Subsequent chapters of the book describe CSTC’s own ICS Lab, its research focus, branches, and functions, before detailing the particulars of evaluating industrial networks and the tools that can help.

CSTC’s ICS Security Reliability Evaluation Laboratory has four core research functions: 1) product evaluation, 2) system evaluation, 3) offense and defense evaluation, 4) operations monitoring. The laboratory aims to achieve technical breakthroughs in each of the four areas, including offense and defense evaluation technology.

To achieve breakthroughs in these four areas of research, the ICS Security Reliability Evaluation (ICS-SRE) Laboratory targets five critical technologies for development:

1. Simulation and Emulation Evaluation Technology (模拟仿真测评技术)

2. Internet of Things Reliability Evaluation Technology (物理系统可靠性测评技术)

3. Industrial Control System Comprehensive Computational Capability Evaluation Technology (工业控制系统综合计算能力测评技术)

4. Reliability Monitoring Technology (可靠性监测技术)

5. Security Evaluation Technology (安全测评技术)

To this end, the ICS-SRE Lab planned to establish three centers:

1. Emulation Evaluation Center (仿真试验中心)

2. Data Comprehensive Computational Center (数据综合计算中心)

3. Comprehensive Environment Test Center (综合环境试验中心)

Four laboratories will be established to enable this research, along with at least facilities to provide services to China’s industries. The authors note that, for electrical grid and petrochemical facilities operators, the ICS-SRE Lab plans to offer services including establishing a semi-physical environment, improving the offense and defense research environment, conducting in-depth safety and reliability research on industry control systems, as well as improving vulnerability discovery in ICS systems and “improving the corresponding resource database.”

The rest of Industrial Control System Testing and Evaluation Technology, which is available on Amazon for now, includes detailed discussion of different tools and methods for evaluating ICS. The book’s content makes clear that its authors are an excellent source of knowledge on the intricacies of navigating industrial control systems. These skills would help defenders, including China’s own critical infrastructure operators, improve security and defensive operations. For offensive missions, they could serve as a help desk, answering questions and making recommendations about particular steps attackers could take or avoid.

But the CSTC’s work is not limited to researching and publishing. Many of the center’s experts participate in international trade bodies, like the Sino-German Intelligent Manufacturing Cooperation Enterprise Dialogue Working Group (中德智能制造合作企业对话工作组). CSTC has published a book on the evaluation and testing of intelligent manufacturing systems.

CSTC Talent and Roles

CSTC’s website touts its penetration testers’ capabilities, including their experience doing penetration outside China’s Great Firewall (外网渗透), winning CTFs, red-teaming services for clients, and remediating security vulnerabilities. Biographies of pentesters illuminate the CSTC’s good work. Meng Fanjun did “important information assurance work” for a G20 meeting, the 19^th Party Congress, and Shanghai Cooperation Organization meetings. Pentesting for important government ministries is core to the CSTC’s DNA. A deprecated website of the CSTC’s Qingdao office, last updated around 2007, claims the branch had provided such services to the Ministry of State Security. Hacking into China’s civilian intelligence service to improve its security makes the CSTC’s capabilities clear: its offensive hacking and vulnerability remediation are capable enough to evaluate one of China’s hardest targets.

In 2021, CSTC launched a “CCID Artificial Intelligence Cloud Environment and CCID Wisdom Platform” (赛迪人工智能云环境和赛迪睿智平台). While the platform’s name is clunky and leaves much to the imagination, it likely performs the “AI testing and evaluation” services that CSTC claims to do elsewhere on its website. An employee biography hints further. Gao Huifang works on CSTC’s commercial AI product testing and evaluation platform.

An org chart of the CSTC makes clear the breadth of the organization’s expertise.

Where, oh where, has the CSTC gone?

The CSTC website offers addresses for three of its branch offices across China.

Address 1: 江苏省无锡市梁溪区南湖大道855号1701室

Following the CSTC’s website to its Jiangsu address is less clear than one might imagine. Chinese map websites situate the CSTC branch’s address in an industrial park for the National Sensor Information Center, which focuses on IoT devices, among other items. Although it is clear the building for the Jiangsu address exists, CSTC’s presence on-site is less clear. A list of companies located in the building at the address provided does not include the CSTC by name. The company which owns and operates that building has few offices available for lease, however. Pictures of the office on offer raise questions about the companies working at National Sensor Information Center and the nature of CSTC’s presence on the campus. The photos of the Raceway Science office, located in a building next to the address given by CSTC and still on the NSIC campus, include what appear to be models of guided munitions and an armored personnel carrier.

A few buildings over from this interesting property listing and still located on the National Sensor Information Center is the Wuxi Software Testing and Certification Center. The company’s website reads like a copy and paste job of the CSTC’s own website, and the company offers many of the same services as the CSTC, including pentesting.

Address 2: 广东省深圳市南山区科技园高新中一道软件大厦611

The second address on the China Software Testing Center’s website leads to a large corporate office building in downtown Shenzhen, the industrial heartland of the Pearl River Delta. Besides not being able to easily find the office, there is nothing particularly interesting or discernable about this address.

Address 3: 广东惠州市惠城区 仲恺高新区陈江街道仲恺六路137号潼湖生态智慧区创新园智汇楼3楼

The final address provided for CSTC branch offices raise even more question. In the southern province of Guangdong, the CSTC’s local office is also not easily found by its address. Instead, another office park sits in place. Street views available on PRC map applications show a mostly empty collection of buildings painted in orange and blue. A car dealership and a few shops sit towards the front of the park, just off the main road. In the back of the office park sits an interesting building. Unlike its surrounding development, this building has an 8-foot concrete wall with barbwire atop it, an even higher tree line with dense foliage obscuring the view into the compound, and security vestibule.

Two large characters sit atop the building (中科). The name can be read a couple ways. The first character 中is almost always short for China, but can also translate to central/center. The second character 科 often translates to science, but is also used to denote a division of an organization. So, it’s unclear if the building is mostly closely connected to “China Science” or a division of a larger entity.

A Guangdong government document entitled “Provincial Technology Contract Certification and Registration” offers insights beyond the high walls and barbwire. At the same address provided by the CSTC’s website, and seemingly with a mission that fits the building’s name of “China Science,” sits the China University Science and Technology Achievements Transformation Center for Southern China (中国高校（华南）科技成果转化中心). The institution is meant to help companies in China develop specific technologies that they need to compete in the market. The institution is run by the Ministry of Science and Technology and the Ministry of Education—its regional offices coordinate the research and development efforts of universities in their region of China.

So why the high security for an organization that coordinates educational institutions’ research priorities, and why is it co-registered to the same address as the China Software Testing Center’s office? It may be that the CSTC is facilitating the targeted collection of foreign technology aligned with the needs of companies in China. Three documents entitled “2021 Register of Enterprise Technology Requirements,” written by the S&T Achievements Centers read like a targeting list.

Among more than 150 pages of requirements, readers can find detailed documentation of technology that local companies have identified for development. The example below is a request for self-driving car technology; the company that requested the technology is “a high-end technology company” and they are looking for a joint-development opportunity.

There are alternative explanations for the matching addresses, however. The CSTC could be providing product evaluation and certification services for companies and universities working with the S&T Achievement Center. These services could aid the pace at which technology is moved from the lab to the market by providing products with quick certification. But why not say so, and what’s with the secrecy? Providing product evaluation or certification in concert with local universities hardly calls for a secure compound.

CSTC hires people to work at addresses other than the three listed on its homepage, however. A job posting for a pentester listed an office address in Chengdu. Other listings for software evaluation engineers and program managers list an address in Wuhan. CSTC is also hiring cybersecurity evaluation engineers and penetration testers in Xiamen.

Beijing CCID Software Evaluation Engineering Technology Center Company

(北京赛迪软件测评工程技术中心有限公司)

The China Software Testing Center is home to many specialized laboratories, testing centers, and research institutes. The Beijing CCID Software Evaluation Engineering Technology Center Company, or Beijing CCID, is one of those 20 institutions: its purpose is to support military civil fusion. Beijing CCID is also known as the “CCID Military Use Software Evaluation Laboratory” (赛迪军用软件测评实验室). Many important PLA institutions are listed among its clients, including the CCP’s Central Military Commission, the State Administration of Science, Technology and Industry for National Defense (SASTIND), “every branch of the armed services” (各军兵种), and “each military industry group and related research institution” (各军工集团及相关科研院所). Stated more plainly, the subsidiary of CSTC serves the whole PLA.

Beijing CCID, like CSTC itself, is billed as providing software evaluation services for many types of products. Whereas CSTC might check consumer goods to make sure there are no glaring vulnerabilities or that industrial control systems for critical infrastructure are properly configured, Beijing CCID would check military-use goods for exploitable flaws, known vulnerabilities, or poor design. The company’s headquarters is in a Beijing skyscraper dedicated to China’s Center for Information Industry Development (CCID), also known as the CCID Research Institute.

But press releases from the Military Work Department of CCID, claim Beijing CCID exhibits some behavior clearly unrelated to standard setting or military equipment evaluation and certification. For example, one post lauds Beijing CCID’s software evaluators for quickly deploying to help their clients overcome technical hurdles in support of their responsibilities. Few use cases of emergency software evaluation in support of a military come to mind besides leveraging the considerable software expertise of Beijing CCID (and thus CSTC as whole) in support of an offensive mission. Although CSTC tries to push out most of its military-related work through Beijing CCID, its own press releases show CSTC staff meeting with two military research institutes.

A 2023 hiring bulletin for Beijing CCID indicates the company planned to hire 50 graduates from software engineering and computation theory majors.

Conclusion

China Software Testing Center…

1. Seemingly receives intelligence products on US national labs or produces its own,

2. Runs its own labs for many kinds of products, including ICS, smart cars, etc., as well as running a “Special purpose lab,” whose website is inaccessible,

3. Oversees Beijing CCID, which specializes in military-civil fusion,

4. Is subordinate to CCID, which itself runs a military-civil fusion lab,

5. Houses immense technical talent on software testing and evaluation,

6. Performs pentests on sensitive government agencies, including the Ministry of State Security,

7. Has an address registration overlap with a S&T Technology Conversion Center for a cohort of universities in southern China at a facility with high security,

8. And has separate co-location a national industrial park with other businesses seemingly involved in military equipment work.

But the majority of the CSTC’s roles, responsibilities, and publications are apparently defensive. Standard setting documents, books, and magazines, do not constitute offensive work. Despite all the references to supporting the PLA through military-civil fusion, including its own labs, there are no hallmarks of the typical, oblique references to offensive work observed at other institutions in China. My best guess, based on all the information currently available, is that the CSTC, at most, serves as a help desk for offensive teams—providing occasional expert insights into targeted systems or developing special-use tools for those targets. I welcome input, public and private, that helps refine this hypothesis.

Comments

[kuiper.tine@gmail.com]

The information tells us. its all about monitoring, technics, datamining, 'security' , science, trade etc.

in American national labs in ca.600 places in tbe world. Amazon is the great download station. Even national health care personal data from people in p.e. from The Netherlands!

CTSC is the system called. For me it looks like surveillance fir which we warned for by Snowden who had to flee from his country. So governments are involved! "My thoughts."

Universities science :

Radboud University Nijmegen worked with China on a system to recognize faces and specialties of race.

So far is it already gone. Do you like freedom?