APT40 used CTFs at Hainan University to recruit hackers and source software vulnerabilities for operations. Jiangsu MSS received vulnerabilities from the Tianfu Cup. iSoon hosted their own CTF before their files were leaked on Github. Chinese intelligence cutouts tried to pitch US participants at RealWorldCTF. The list goes on.

A diverse ecosystem of CTFs exists in China and it has, until now, been largely ignored. Since 2017 when the PRC government issued rules to bolster cybersecurity competitions, incorporate them into talent cultivation and training programs, and limit the amount of money to be paid out in rewards, China’s security ecosystem has launched more than 150 unique competitions. Including competitions that are held annually, the number of events since 2017 exceeds 400.

Not all these competitions are software vulnerability competitions like Tianfu Cup—in fact, few are. Most are aimed at talent cultivation and recruiting, and many are hosted by the military, the intelligence services, or other arms of the state.

This talk explores the diversity of China’s CTF ecosystem, its major leagues and events, and the annual number of participants across society. It highlights competitions held expressly by the Ministry of State Security and the PLA—delving into the competitions’ particulars. Defenders with appropriate CTI collection capabilities will better understand how to target their collection efforts on specific individuals in China.

About the Authors

Dakota Cary is a strategic advisory consultant at SentinelOne. His reports examine artificial intelligence and cybersecurity research at Chinese universities, the People’s Liberation Army’s efforts to automate software vulnerability discovery, and new policies to improve China’s cybersecurity-talent pipeline. Prior to SentinelOne, he was a research analyst at Georgetown University’s Center for Security and Emerging Technology on the CyberAI Project.

Eugenio Benincasa is a Senior Cyberdefense Researcher at the Center for Security Studies (CSS) at ETH Zurich. Prior to joining CSS, Eugenio worked as a Threat Analyst at the Italian Presidency of the Council of Ministers in Rome and as a Research Fellow at the think tank Pacific Forum in Honolulu, where he focused on cybersecurity issues. He also worked as a Crime Analyst at the New York City Police Department (NYPD).

About LABScon

This presentation was featured live at LABScon 2024, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLABS.

Keep up with all the latest on LABScon 2025 here.

Kryptina RaaS is a Linux-focused RaaS platform & service that started life as an unsellable giveaway. However, large-scale ransomware operations are now adopting the platform to extend their reach into Linux and cloud environments.

In this talk, Jim Walter reveals how a recent leak from a Mallox ransomware-affiliated actor’s staging server provided insight into how Kryptina has been adapted for use in enterprise attacks.

The presentation focuses on recent developments and provides an understanding of why threat actors are attracted to the Kryptina platform, and what this means in the context of victims and targeting.

Jim also dissects what was included in the May 2024 Mallox leak and improvements and modifications that threat actors have made to the Kryptina platform.

About the Author

Jim Walter is a Senior Threat Researcher at SentinelOne focusing on evolving trends, actors, and tactics within the thriving ecosystem of cybercrime and crimeware. He specializes in the discovery and analysis of emerging cybercrime “services” and evolving communication channels leveraged by mid-level criminal organizations.

About LABScon

This presentation was featured live at LABScon 2024, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLABS.

Keep up with all the latest on LABScon 2025 here.

In this exclusive interview at LABScon 2024, award-winning investigative journalist Kim Zetter and Microsoft Corporate VP Enterprise and OS Security David Weston discuss Microsoft kernel security, the CrowdStrike outage, AI, and how Microsoft plans to improve the resilience and security of the Windows ecosystem.

As the world’s data has increasingly become associated with Microsoft infrastructure and exposed to Microsoft products, threat actors have focused their efforts on exploiting security weaknesses in the vendor’s operating system. Weston and Zetter explore how this has led Microsoft to raise the priority of security at the engineering level, even at the expense of curtailing operating system features.

In addition, the conversation ranges over how the CrowdStrike outage of 2024 led Microsoft to a new focus on resilience and to the development of a user mode API to restrict access to the kernel to third party products. Weston also discusses the need for security vendors to implement secure deployment practices to better protect customers from rogue updates and tackles questions around the use of AI and the controversial Windows Recall feature.

About the Authors

David Weston is Corporate Vice President, Enterprise and OS Security at Microsoft where he is responsible for the security engineering of Windows, Azure Linux, XBOX, Windows Server, the Azure OS as well as the Offensive Security Research & Engineering Team.

Kim Zetter is an award-winning investigative journalist who has covered cybersecurity and national security for more than a decade, most notably for WIRED, where she wrote for thirteen years, and more recently for the New York Times Magazine, Politico, Washington Post, Motherboard, and Yahoo News. She has been voted one of the top ten security journalists in the country by security professionals and her journalism peers.

About LABScon

This presentation was featured live at LABScon 2024, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLABS.

Keep up with all the latest on LABScon 2025 here.

Who really owns America’s farmland, and why does it matter? In this deep dive into the secretive world of foreign investment in U.S. agricultural land, Kristin Del Rosso and Madeleine Devost explore the growing trend of foreign ownership, which has surged by 50% since 2017, and its profound implications for national security. Using the USDA’s data, the presenters shed light on how these investments could potentially impact everything from local economies to national defense.

The talk dives into the complexities of the USDA’s data collection methods, revealing how manual processes and outdated systems obscure the true extent of foreign ownership. It also discusses the critical role of the Committee on Foreign Investment in the United States (CFIUS) in safeguarding national interests, and the urgent need for improved data sharing and automation between CFIUS and the USDA.

Through real-life examples, including controversial land purchases near sensitive military sites, Kristin and Madeleine illustrate the potential risks and propose actionable recommendations to enhance transparency and security.

About the Authors

Kristin Del Rosso is co-founder and managing director of DevSec, a research firm that provides advanced analytics blended with cyber investigation techniques to support analytics, investigations, and intelligence enrichment in novel ways. Prior to DevSec, she worked as the Public Sector Field CTO at Sophos, and has a background in security product management, threat intelligence, and reverse engineering.

Madeleine Devost is an intelligence analyst at Nisos focusing on open-source investigations. Prior to Nisos, she worked as a threat intelligence and investigations consultant for a number of firms including Excivity, RiskIQ and Microsoft.

About LABScon

This presentation was featured live at LABScon 2024, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLABS.

Keep up with all the latest on LABScon 2025 here.

Chinese foreign direct investment should trigger American national security concerns, but much of it doesn’t. In this ‘behind closed doors’ talk at LABScon 24, Elly Rostoum reveals why and what can be done to improve our understanding of the influence of Chinese FDI.

Chinese foreign direct investment (FDI) enabled the technology revolution in China and set China as a strategic competitor to the United States. It opened new global markets, redrew trade routes, tapped into intellectual property, allowed for opportunities in industrial espionage, reshaped supply chains, and allowed for technological breakthroughs in genomics, quantum computing, artificial intelligence, and other critical and emerging technologies that are quite simply re-imagining the world.

But who exactly owns the Chinese firms undertaking this FDI?

The research presented by Elly Rostoum in this LABScon 2024 keynote address tracks the incorporation structures and ownership of the 672 Chinese firms undertaking FDI globally.

Taking the audience on a journey from how Chinese FDI triggers – and sometimes fails to trigger –  American national security concerns to the complex ownership structure of Chinese businesses operating within the U.S., Elly Rostoum reveals how the Chinese government has been able to evade American national security reviews by instrumentalizing investment through 3rd & 4th+ level subsidiaries, private equity, and holding companies.

While much policy and attention has been focused on the investments of Chinese state-owned enterprises, Elly Rostoum argues that the real threat is “within” and buried in the details: seemingly “American” businesses that are ultimately owned by Chinese investment companies.

About the Author

Elly Rostoum is a former U.S. Intelligence Analyst and National Security Council staffer at the White House. She is the Managing Director of the Alperovitch Institute for Cybersecurity Studies at Johns Hopkins University, where she teaches courses on national security vulnerabilities of critical and emerging technologies, intelligence, public policy, strategic studies, and energy markets; with a regional expertise covering China and the Middle East.

About LABScon

This presentation was featured live at LABScon 2024, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLabs.

Keep up with all the latest on LABScon 2025 here.

AI disinformation, deep fakes, armies of lying bots, and automated deception is the biggest threat to our elections, or so we’ve been told. But looking at Taiwan’s 2024 election, none of these nightmare scenarios materialized. The deafening silence of effective AI disinformation from China, America’s most advanced opponent, was surprising. Even more so given the focus on the election at the highest levels of the Chinese government.

In this highly-engaging talk, Martin Wendiggensen details how he set out to study the election and collected tens of thousands of hours of footage from YouTube and television as well as hundreds of thousands of news articles, blog posts, and social media content. This collection was then analyzed with a multi-modal AI pipeline. The results indicated that the small amount of AI-content received no engagement and had no impact.

Instead, Taiwanese billionaires earning most of their money in China mounted a concerted effort to buy or set up local news outlets in Taiwan in the run-up to the election. Conducting a large-scale analysis of these outlets’ output uncovered interesting results. Their viewership, numbering in the millions, presented slanted narratives aligned with the Beijing-friendly KMT and a new emergent third party. While losing the presidential election, these two parties managed to wrest control of Taiwan’s parliament and are set to have a major impact on the country’s foreign and domestic policies.

This presentation guides the audience through Chinese and local disinformation efforts in the Taiwanese election, highlighting the main lessons that can be drawn from them to safeguard future elections. Along the way, Martin explains the research methodology and toolbox that leverages open-source AI to fight disinformation.

About the Author

Martin Wendiggensen is a PhD candidate and lecturer at the Alperovitch Institute, focusing on Great Power Competition in Cyberspace, especially competition around AI and state-sponsored information operations. He has conducted research at NATO as well as the University of Mannheim, and applied his knowledge in Artificial Intelligence at his own small startup, which won contracts to monitor electoral environments. Currently, he is conducting research on AI-generated content using Advanced Research Computing at Johns Hopkins SAIS.

About LABScon

This presentation was featured live at LABScon 2024, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLabs.

Keep up with all the latest on LABScon 2025 here.

In his Keynote talk at LABScon 24, Max Smeets explores how ransomware operators build a unique relationship between themselves and their victims. In contrast to most other threat actors, ransomware operators rely on and leverage public visibility into their activities. Unlike APTs and other threat actors that prize stealth, ransomware gangs seek to publicize their attacks in order to convince future victims that they are trustworthy enough to deliver on their promises – providing a decryptor and deleting stolen data – if paid.

In ‘The Ransomware Trust Paradox’, Max observes that this notion of trust is not only a prerequisite for ransomware gangs’ profitability but also relies on media and security vendor reporting. Detailing the mechanisms by which ransomware operators establish trust, build brand awareness, and foster a reputation for reliability, this talk is essential viewing for anyone reporting on crimeware activities.

Max calls for the establishment of a reporting code of ethics for threat intelligence and the media, and a shift in policy to undermine the trust dynamics between threat actors and their victims.

About the Author

Max Smeets is the author of Ransom War: How Cyber Crime Became a Threat to National Security and No Shortcuts: Why States Struggle to Develop a Military Cyber Force. Max is Co-director of Virtual Routes and Senior Researcher at ETH Zurich.

About LABScon

This presentation was featured live at LABScon 2024, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLabs.

Keep up with all the latest on LABScon 2025 here.

Ransomware is doing more to change the security landscape than the last 20 years of Secure Development Lifecycle, DevSecOps, Zero Days, Breaches, or any corporate memo. Pair this with predatory pricing models from software vendors that sell security features as add-on products in premium or enterprise tier licenses, and you’ve got a perfect storm that hits small and medium sized businesses (SMBs) the hardest.

In this hard-hitting talk, Kymberlee Price reveals the technical chaos facing the US’s largest employment sector: SMBs. With restricted budgets, a lack of expertise, no access to consumer reports by which to clearly compare products, and a SaaS industry that makes basic security features like SSO a premium add-on, many businesses remain easy pickings for threat actors in a rapidly expanding crimeware landscape.

Why should we care about this, is it really a national threat, and what can a bunch of security engineers do about it?

About the Author

Kymberlee Price is a dynamic engineering leader and public speaker known for developing high-performing multidisciplinary teams responsible for the security and integrity of software products, services, and infrastructure. A recognized expert in the information security industry, she has extensive experience in product security incident response and investigations, coordinated vulnerability disclosure and bug bounties, Secure Development Lifecycle (SDL), and Open Source Security strategy. Kymberlee speaks regularly at conferences around the world and is currently on the content review board for Black Hat USA and LocoMocoSec.

About LABScon

This presentation was featured live at LABScon 2024, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLabs.

Keep up with all the latest on LABScon 2025 here.