At the end of July, the second ever CyBRICS competition for specialists in the field of information security took place. Similarly to last year, it was organized by ITMO University’s Faculty of Secure Information Technologies and Institute of International Development and Partnership together with the sports hacking community SPbCTF.
This year, CyBRICS managed to expand both its number of participants and its geography. What’s more, especially for participants interested in the research side of information security, the organizers added tasks on theoretical cryptography.
“The idea of CyBRICS originated in 2018 as a result of a meeting of BRICS Network University, when universities from Brazil, Russia, India, China, and South Africa decided to host an event bringing together students and lecturers in the field of information security,” says Aleksei Lizunov, advisor to ITMO University’s first vice rector. “Last year, we did organize such a tournament. This year, CyBRICS has fully transitioned to the online format. But the idea remained the same – we invited all the teams connected to cybersecurity from all over the world, and not just from the five BRICS countries. This year, we set a new record: some 1,503 teams compared to 1,188 last year. What’s more, 786 teams participating in CyBRICS 2020 managed to solve at least one task, there were 775 such teams last year.”
The first place went to the team corruptedpwnis, which consisted of students and graduates of different Russian universities, including Higher School of Economics, ITMO, Moscow Institute of Physics and Technology, Ural Federal University, and CTU (Czech Technical University in Prague). Coming in second was the team DefenitelyZer0, which included sports hackers from South Korea and Japan. The third place went to ITMO University student team [SPbCTF] fargate. These teams shared a 6,000-dollar prize fund. The top five also included teams from China and France.
Contributing as the tournament’s partner was the Chinese cybersecurity championships league XCTF. The corruptedpwnis team’s first place got them qualified for participation in XCTF Finals in China, which annually brings together the winners of international CTF competitions. The companies Positive Technologies and BI.ZONE also provided the top-three teams with five invitations to major international cybersecurity conferences Positive Hack Days and OFFZONE, which are to be held in spring 2021 in Moscow.
This year’s new features
Vlad Roskov, the task development team leader and mentor of the SPbCTF, explained the updates in the competition’s task set.
“The competition was held in the traditional Jeopardy CTF format: there were seven categories, each featuring tasks on four levels of complexity, and the team which scores the most points in 24 hours wins. In each task, participants have to examine a system, identify possible vulnerabilities, and use them to get the answer. All the tasks we prepared are practice-oriented, covering such fields as web security, incident investigation, network security, applied cryptography, algorithm research, exploitation of vulnerabilities. ITMO University also added two tasks on theoretical cryptography.”
The teams had 24 hours to solve the tasks, in doing which they weren’t limited in their internet nor literature use – everything that could’ve helped them solve the tasks was allowed. In the course of the game, the teams submitted 10,997 answers, 3,225 of which were accepted. Only 160 teams managed to grapple with the tasks on theoretical cryptography.
“Our goal is not just to play and compete, it’s more global,” highlights Danil Zakoldaev, the dean of ITMO University’s Faculty of Secure Information Technologies. “We aim to form a stable community of young scientists, to get Master’s and PhD students to join research teams dealing with tasks in the field of cybersecurity. To achieve this, we’ve introduced several research tasks where you have to really think, calculate something, take a pencil and a sheet of paper, and just sit on it for a while. These have been integrated into the traditional Jeopardy! format. However, out of some 800 teams that solved at least one task, only 160 managed to solve a beginner-level research task, and only 29 solved a middle-level research task. We haven’t introduced any advanced tasks yet, this is in our plans for next year, provided that we can hold the competition in two rounds – a qualifying one and an in-person final one in St. Petersburg.”
Post-competition debriefing
“Towards the end of the competition, we asked the participants what tasks they would like to see in the video analysis the next day,” says Ksenia Kravtsova, the founder of SPbCTF. “Video analysis of the tasks is a CTF tradition: onsite competitions feature in-person analysis, while online ones offer write-ups, which are then published in blogs or on ctftime.org. This is invaluable for analyzing your approach and acquiring new knowledge, as well as honing your skills. As this year’s CyBRICS was fully held online, the analysis of the tasks was also held in the form of a YouTube livestream. Each developer provided a detailed explanation of their task and responded to viewers’ questions, and in the end, the viewers requested advice on ways to perfect their hacking skills.”
The analysis of CyBRICS 2020 tasks was broadcasted on the SPbCTF YouTube channel.
