At 1:00 a.m. on October 27, in the still-lit room of Viettel Cyber ​​Security Company (VCS), 14 members of the VCS team exploded with joy: The team won the championship of the world's largest and most prestigious cyber attack competition Pwn2Own 2023.

It was not only the expected result of three months of continuous work day and night by the whole team and resilient competition against the strongest opponents from all over the world!

That is not only the first sweet fruit for the youngest member of the team, Do Anh Dung, born in 2003, currently a 3rd year student at the University of Technology (VNU)!

It is not only the desire to reach the highest position of the competition for members such as Ngo Anh Huy, Nguyen Xuan Hoang, Nguyen Hong Quang... who have tried their hand at this tournament for several years!

It is also an honor to bring the country the highest position in one of the most prestigious competitions in the world, affirming the capacity of Vietnamese people in the field of information security and safety.

And above all, it is the "sweet fruit" harvested from the seeds that Viettel has steadfastly planted many years ago. Up to today, Viettel, with VCS and a team of information security experts in hand, can be proud to be one of the world's leading companies in information security and safety capacity.

The 14 members of the VCS team that won the Pwn2Own 2023 championship are all very young. Most of the members are from the 9x generation, the youngest member was only born in 2003.

But most of the team have been "fighting" for many years, have a wealth of experience and achievements in the field of information security and safety. Even the youngest member of the team, Do Anh Dung, has already asserted himself: Dung is the one who created a miracle in this competition, winning a category to contribute to the overall results of the whole team.

At the end of the final round on the evening of October 27, the team of Viettel Cyber ​​Security (VCS) officially won the highest victory with 30 Master of Pwn points, leaving the gap with the second place team at 12.75 points.

With this convincing score, VCS established the championship title against many international opponents, who are considered strong candidates for the championship of the tournament such as Sea Security (Singapore), Vupen, Synacktiv (France) and Devcore (Taiwan - last year's champion team)...

Sharing about the challenges during the preparation for the competition, VCS team member Ha Anh Hoang said: Three months before the competition, the Organizing Committee announced the equipment to be conquered. Therefore, the preparation time was only three months because at that time, the team had just purchased equipment to research. Of which, many devices had to be imported from abroad and it took a whole month to wait for them to arrive in Vietnam.

According to another team member, Nguyen Xuan Hoang, "The competition has competitors who have been participating for a long time. They have a lot of experience, and there are also very strong competitors both economically and professionally. The VCS team determined that we must enter the competition with the most careful preparation, solidarity, and a suitable competition strategy to achieve the highest success in this year's competition."

Hoang added that last year, the VCS team won second place in this competition with a score that was very close to the champion team, only losing by 2.5 points. Therefore, the team is determined to aim for the championship this year.

But the road to the championship is not simple: The attack targets in this competition are all popular devices and software in the world, from leading manufacturers such as Microsoft, Apple, Google, Samsung... - Nguyen Xuan Hoang shared.

To meet the contest's requirements, the device had to be ordered from the US, but in just a moment of carelessness, the device "died" because it used a 110v power source suitable for the US market, while Vietnam uses 220v.

According to Ngo Anh Huy, a member who has participated in this competition four times, the team's biggest fear is duplicate errors or the manufacturer not having time to patch the security holes that the team registered. Last year, Viettel's team only won the runner-up position because they were deducted points for having a duplicate vulnerability.

Not only that, the challenge came at the last minute, because of the visa delay, the whole team could not travel to Toronto (Canada) in time to compete live. Instead, the 14 members of the VCS team had to compete online with many worries about possible problems that could not be resolved during the competition...

But the final result said it all… Not only did the VCS team win, they also won spectacularly.

"When we won the final 10 highest points category, the whole team burst into joy and happiness because we had proven that this championship was a convincing victory, without any doubt" - Nguyen Xuan Hoang proudly recalled that moment.

After participating in Pwn2Own continuously for the past four years, the VCS team has won the Pwn2Own championship for the first time. This is a software and consumer electronics attack competition held twice a year by the Zero Day Initiative cybersecurity organization, one of the most "difficult" cybersecurity competitions in the world today.

Mr. Nguyen Son Hai, Director of VCS, said that in 2020, Viettel had its first victory in this "playground" with the SmartTV category. In 2021, Viettel entered the Top 5. In 2022, it was second place. And this year, it rose to win the championship with an overwhelming score.

Competing at Pwn2Own are not only famous cybersecurity teams in the world but also large manufacturers and technology corporations around the world. Each exam will have questions on popular software or hardware devices such as Windows operating system, Apple, Xiaomi, Samsung phones or Canon, HP printers...

Teams compete to find unknown security vulnerabilities in software and devices and must demonstrate live exploitation of those vulnerabilities within 30 minutes.

"Why can we say that the opponents are not only other security expert groups, but also device manufacturers such as Apple, Xiaomi, Canon, TP Link... because they hate being known as having vulnerabilities in their devices, losing the trust of customers. These device suppliers always have a security team and are willing to pay large sums of money to patch the bugs in their products before the competition takes place so that the products are not disgraced in front of the public," expert Nguyen Hong Quang, a member of the VCS team, shared with Tuoi Tre .

Therefore, the competition will be intense from the opening to the last minute. Because it is entirely possible that the vulnerabilities discovered by the teams will be unexpectedly patched by the manufacturer right before the competition day, causing a team to lose all their efforts and achievements.

Therefore, "closer to the performance time, we had to work day and night to "watch" to see if the vulnerabilities we discovered still existed, and closely monitor the manufacturer to see if they patched the bugs we discovered," said Ngo Anh Huy, an experienced Pwn2Own player of the VCS team.

The Pwn2Own 2023 Toronto competition focuses on hardware, including mobile phones, smart speakers, surveillance systems, networked storage systems, and office electronics. Each category has prizes ranging from $30,000 to $100,000 and scores ranging from 2 to 10 points depending on the difficulty of the device and the level of completion of the attack demonstration.

The most valuable in both prizes and points is the final category, mash-up, which requires teams to execute exploit code on one of the competition's given network routers and thereby attack a device in the aforementioned categories, for a prize of $100,000 and 10 points.

After completing the individual categories, successfully attacking the Xiaomi 13 Pro phone, QNAP TS 464 storage system, Canon imageClass MF753Cdw printer, Sonos Era 100 speaker, the VCS team scored 20 points, almost certain to win the championship because the opponent Sea Security only scored 17.25 points, after completing all the individual categories and the combined category.

There is no longer too much competitive pressure, but the final category still haunts VCS engineers because the lack of points in the mash-up competition is the reason this team missed out on the championship last year. "This time, entering the smash-up category, we continue to be at a disadvantage when drawing lots for the next round, if we have the same loophole as the previous team, we will be deducted points," Ngo Anh Huy shared. Such a duplicate error caused VCS to be 2.5 points behind the first-place team in last year's Pwn2Own.

"This year, we not only tried to exploit new vulnerabilities, but also deliberately chose vulnerabilities that were very difficult to find and difficult to overlap with other teams, or that were easy to find but difficult to exploit, as well as having many backup plans. This is the result of three months of focused research by the whole team," Huy said.

As a result, the VCS team achieved 10/10 points in the combined category and won the overall championship with a total score of 30, surpassing the runner-up by 12.5 points, winning spectacularly and completely.

"We chose Pwn2Own to compete because it is a competition on the most popular devices in the world, from leading manufacturers with a strict testing process," said Mr. Nguyen Son Hai, director of VCS. "Investing in a specialized research team and competing in the international arena is part of VCS's efforts to develop human resources."

The journey to the Pwn2Own 2023 championship of the VCS team is the result of a long journey, a legacy, a vivid demonstration of the vision many years ago of Viettel Group's leaders in the field of information security.

More than a decade ago, when VCS Director Nguyen Son Hai was still the same age as the members of the Pwn2Own 2023 championship team, Viettel Group's leaders were determined to invest in the field of information security.

The first seeds for a young field were soon planted and cared for by Viettel in a systematic and strategic manner.

VCS’s in-depth research journey began in its early years, with only six people initially working on information security. Since 2011, the VCS team has conducted mock attacks with units within Viettel Group to highlight security issues.

"Because of operating critical infrastructures, Viettel has a research vision that considers network security as a pillar," said Mr. Son Hai. "In network security, people are the most important factor. Even when using the world's best products but only as an end user, the risk of being attacked is still very high, while Viettel's critical infrastructures such as mobile and Internet are the target of attacks by the largest groups in the world."

To have a team of experts to protect critical infrastructure, VCS aims to train cyber security personnel with capacity equivalent to the world. From 2015 to now, Viettel and VCS have trained 450 students, of which 5% of the most suitable personnel have been recruited to continue working, Mr. Hai said.

"After building a team of experts and investing in in-depth research, we continue to find ways to invest to enhance the attacking skills of the VCS team of experts. Participating in world-class competitions is also for this purpose," said Mr. Nguyen Son Hai.

In 2013, VCS began its research on zero-day vulnerabilities, vulnerabilities that were unknown and unpatched and therefore the most expensive, with Anh Huy and Hong Quang being two of the first experts. By 2015, the VCS team found the first vulnerabilities and to date, the number of vulnerabilities found by VCS has reached 400.

"No Vietnamese business has reached such a number, and not many in the world," Mr. Hai expressed.

The opportunity to be trained through participating in in-depth research is the reason why VCS has become an attractive workplace for cybersecurity experts who just won first place at Pwn2Own. When asked why he chose Viettel, Anh Huy said: "From my experience, not many companies are willing to invest long-term in cybersecurity research and research teams."

"Especially, in the field of cyber security, human factor is the most important. Therefore, VCS is always aware of training, improving the team and building the next generation of highly qualified staff, always ready for international problems" - VCS Director Nguyen Son Hai emphasized.

At the ceremony to honor and congratulate the team members participating in the competition, Chairman and General Director of Viettel Group Tao Duc Thang expressed his pride in the Viettel "white hat hackers". He affirmed: "Viettel is proud that the VCS team won the prestigious award in the field of global network security, 'competing' with the world's leading equipment manufacturers with large R&D units".

The head of Viettel Group assessed that "Pwn2Own is a prestigious competition with a very high level of difficulty for any hacker. The competition is likened to a 'battle' with manufacturers who own the world's top information security teams, ready to respond to hackers until the last minute. A game with no age limit, and can even involve multinational cooperation..." Therefore, Mr. Tao Duc Thang said: "The Pwn2Own 2023 championship has made Viettel and Vietnam famous in the international arena", the group's chairman proudly said.

Chairman Tao Duc Thang also acknowledged that the field of cyber security is huge, a long road for Viettel experts and there are many challenges ahead.

"To maintain the Top 1 position is not easy, so we need to continue to work harder and have big dreams, constantly yearning to turn dreams into reality to bring Vietnam to the world," Mr. Tao Duc Thang emphasized.

The Chairman of Viettel Group also shared that in the coming time, the Group will have specific policies to train high-quality human resources, so that they can continue to confidently devote themselves to their work.

Assigning the task to VCS, Mr. Tao Duc Thang emphasized that VCS needs to continue training more security experts, determining to train the next generations with the best foundation to serve not only the corporation but also to serve the country, protecting the nation in cyberspace.