Hong Kong: Few doubt that China is responsible for a massive campaign ofcomputer hackingand nefarious cyber activities. Beijing denies any culpability forcyberattacks, calling such accusations “baseless”, but the weight of evidence rests squarely against China.
The US Office of the Director of National Intelligence, in its 2023 Annual Threat Assessment, recognized the threat: “China probably currently represents the broadest, most active and persistent cyber espionage threat to US government and private-sector networks. China’s cyber pursuits and its industry’s export of related technologies increase the threats of aggressive cyber operations against the US homeland.”
If this were not damning enough, the report continued: “China almost certainly is capable of launching cyberattacks that could disrupt critical infrastructure services within the United States, including against oil and gas pipelines, and rail systems.” This assessment was borne out by a Chinese state-sponsored threat group called Volt Typhoon, responsible for attacks this year, some of the largest ever, on American infrastructure. Five Eyes partners publicly disclosed the worrying threat posed by Volt Typhoon in May, since the group’s activities represent far more than the usual espionage conducted by nations. The group preplaced technical implants and achieved long-term access into adversaries’ networks, such prepositioning showing maturity in the People’s Liberation Army’s (PLA) joint information warfare capabilities.Pukhraj Singh, Director of the Centre for Epistemic Security, wrote for the Australian Strategic Policy Institute (ASPI): “The military cyber elements seem to have been extricated from the stovepipes of the theater commands and are ready to produce strategic effects extending beyond the Indo-Pacific. And the integration isn’t just militaristic but also political: the PLA is the Chinese Communist Party’s (CCP) army. Strategic cyber operations are directly sanctioned by the Central Military Commission, and ultimately authorized by Xi.”
Singh further posited: “The intelligence that has trickled through from the Five Eyes
points to interesting doctrinal and strategic developments in the Chinese cyber establishment, especially the extent and success of its integration with the PLA.” Two groups are broadly responsible for China’s state-sponsored hacking – the PLA and Ministry of State Security (MSS). The latter oversees most state-sponsored hacking activities abroad.
US officials are displaying greater willingness to point fingers. For example, Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA), defined China’s cyber-espionage and sabotage capacities as an “epoch-defining threat” earlier this year. She added that in the event of warfare, “aggressive cyber operations” would threaten critical US transportation infrastructure “to induce societal panic”. Easterly warned: “It’s going to be very, very difficult for us to prevent disruptions from happening.”
According to the European Repository of Cyber Incidents, 240 worldwide state-sponsored cyberattacks from 2005-23 were attributed to China, compared to 158 from Russia, 103 from Iran and 74 from North Korea. Although 25 per cent of the global online population is in China, the latter clearly has the largest footprint in state-sponsored hacking. Some 78 per cent of its hacking attempts aimed to steal data.
Chinese hacking groups tend to be active for approximately three years, and each group tends to concentrate on no more than four countries. However, there are exceptions, such as APT41, which has been operating for 13 years and whose activities have been identified in 14 different nations. The US Justice Department announced charges against seven APT41 hackers in September 2020. The US Secret Service also accused APT41 of stealing millions of dollars in COVID-19 relief benefits from 2020-22.
There are many other groups too. Storm-0558 allowed Chinese hackers to access email accounts of around 25 organizations, including US government agencies and individuals like US Envoy to China Nicholas Burns, and Assistant Secretary of State for East Asia Daniel Kritenbrink.
APT27 claimed responsibility for attacks during a Taipei visit by former House of Representatives Speaker Nancy Pelosi in August 2022. Mandiant also accused it of compromising the computer networks of at least six US state governments between May 2021 and February 2022. Elsewhere, the 2021 Microsoft Exchange attack by Hafnium affected some 250,000 targets. As another example, ShadowPad, backed by the PLA, was discovered in India’s power grid in 2021 during the border standoff.
Furthermore, hacking software, known as Aria-body and with alarming intrusive capabilities, has been used against governments and state-owned companies in Australia and Southeast Asia. This virus allows hackers to remotely take over a computer, manipulate files and set up secret communications back to the hackers. Israeli cybersecurity company Check Point Software Technologies identified Aria-body as coming from the Chinese hacker group Naikon, which is connected to the PLA at a Kunming location.
Lotem Finkelstein of Check Point, said: “The Naikon group has been running a longstanding operation, during which it has updated its new cyber-weapon time and time again, built an extensive offensive infrastructure and worked to penetrate many governments across Asia and the Pacific.”
Such conclusions were also borne out by a report recently published by the Mercator Institute for China Studies (MERICS), a non-profit think-tank based in Berlin. This research by Antonia Hmaidi, entitled “Here to Stay – Chinese State-Affiliated Hacking for Strategic Goals”, highlighted the extent and purpose of Chinese efforts in the cyber domain.
Hmaidi reached some key findings in her MERICS report, as Beijing becomes more sophisticated and its cyberattacks closely follow the strategic goals of the CCP. The US is by far China’s largest target, followed by India, Japan, Taiwan and Vietnam respectively. Nonetheless, Europe is not immune, and so the MERICS researcher noted that Chinese hacking poses a risk to Europe’s long-term prosperity. Indeed, the European Commission estimates that cyberattacks cost EUR5.5 trillion globally.
Furthermore, in Germany, cyberattacks caused 86 per cent of companies to suffer damage,
and cost EUR223 billion (or 6 per cent of national GDP) in 2021 alone. Last year, 43 per cent of
German companies said they had been cyberattacked by China.
A second point by Hmaidi is that China has rearranged its hacking capabilities to make attribution more difficult and to increase the combat readiness of the PLA. Indeed, institutional changes have created a more flexible and sophisticated state- affiliated hacking scene.
Indeed, China works hard to keep its illicit cyber activities quiet, and of course it is a major challenge to attribute cyberattacks to specific players. However, it is undisputed that China has become more sophisticated. What once started as high-volume phishing campaigns has increasingly focused on long-term and targeted attacks. While not all Chinese threat actors have clear ties to the Beijing government, there is considerable evidence of links.
States often use proxies, but since many Chinese hacker organizations in the past were directly affiliated with the PLA, Beijing could not plausibly deny responsibility. Cyber threat intelligence firm Mandiant highlights Unit 61398 of the PLA as a state-affiliated advanced persistent threat actor. For example, in 2021 the US government accused it of targeting key technology companies.
Chairman Xi Jinping signed an agreement with the US in 2015 promising that neither would engage in commercial cyber espionage. There was a short-term decrease in Chinese hacking, but it is difficult to say whether this was because Beijing was honoring the agreement, or whether China simply changed its approach. That was the same year that the PLA restructured and created the Strategic Support Force (SSF), where all of China’s military cyber, electronic and space capabilities now reside.
By 2016, it was observable that Chinese hacking had increased in volume and sophistication, including a vast satellite network of contractors at front companies and universities that work at the behest of the MSS. This freelance cyber-army is guided by the MSS, whereas the PLA and SSF focus more on combat-oriented activities now.
Xi’s preoccupation with national security – which extends to economic and technological security – means that hacking is considered essential to national strategic goals. This includes aspects such as technological innovation, gaining information for mergers and acquisitions, targeting dissidents and traditional espionage against foreign governments.
With Xi labeling science and technology as “the main battlefield of the economy”, China eagerly uses both legal and illegal avenues to grab knowledge and technology. This might be via requiring technology transfers before a foreign company is allowed market access, joint venture requirements for Chinese investment, poaching foreign experts, or exploiting weak protection of intellectual property.
A third conclusion noted by Hmaidi is that Chinese threat actors typically attack for the purpose of gaining long-term access. This contrasts with Russian actors that want to cause disruption, or North Korean ones wishing to make money. China is biding its time, building up capabilities that could be used later for disruption, such as during a Taiwan conflict.
Hmaidi noted: “A broader range of institutions and hackers has become part of China’s hacking landscape over the past decade, but their goals have been consistent. A key one is to value long-term access to targets above short-term rewards, which applies for the PLA, the MSS and their proxies. This makes detection more difficult.”
The PLA’s peacetime-wartime integration means such long-term access could be suddenly used for destructive purposes in the event of a conflict. Some groups leave behind disruption software, one example being in the US power grid. “While Chinese threat actors have not moved to disruption to date, China has set up cyber ranges to conduct disruption tests, and all indications point to it building up capability to disrupt in the future.”
Furthermore, “Chinese state-affiliated threat actors try to stay undetected, and a lot of their hacking is designed to be invisible so as to secure long-term access to their targets. APT1, for instance, has maintained access to networks for an average of 365 days, and it has been able to stay in some networks for up to five years.” Nor do Chinese hacking groups tend to use ransomware, although groups like EmissaryPanda can make IP thefts look like ransomware attacks.
Instead, China regularly targets dissidents, patent holders, and corporate and state-owned enterprises in international negotiations. RedAlpha, for instance, targets Tibetans in exile, whilst APT40 targets university research projects relating to naval capabilities. APT41 is the most prolific actor, but it also seems to engage in financially motivated behavior, suggesting that the MSS is not in full control of its various cyber tentacles.
Beijing has cleaned up criminal freelancers, such as with 2015’s Operation Clean Internet, and the government has a firm grip on China’s hacking community. The MSS uses a series of loosely affiliated shell companies, many of which are also involved in domestic repression. Staying in the government’s good books often allows these hackers to conduct their financially lucrative side businesses.
The timing of Chinese cryptocurrency attacks, usually after 6pm, while data theft attacks occur in worktime hours, also suggests that some Chinese groups moonlight. One should not be surprised that such enterprising behavior occurs. Despite Xi’s anti-graft campaign, corruption remains endemic in China.
In the first nine months of 2023, for example, 405,000 officials were punished according to the Central Commission for Discipline Inspection (CCDI). Of these, 34 were senior officials at provincial or ministerial levels. These punishments stemmed from 2.617 million reports or tip-offs relating to questionable behavior. Ironically, in the same nine-month period, more than 18,700 tipoffs related to CCDI or supervisory officials.
Finally, the MERICS report noted, Chinese actors focus on a smaller number of high-value targets and reuse the same exploits for different target types. It is difficult to spot them, since they use edge devices like routers, as well as techniques designed to avoid detection.
The SSF, a rival to the US’ Cyber Command, is designed to strike at an enemy’s most vulnerable points, often its high-tech Achilles heels that constitute their military digital networks. Denial of space, the electromagnetic spectrum and cyber networks could seriously hobble a military power like the US.
The centralization of China’s cyberattack and defenses under one force – namely the Strategic Support Force – increases synergy and improves deconfliction. This “cleaning up” of PLA cyber forces streamlines command and control; enhances oversight and control; tightens tactics, techniques and procedures; and improves professionalism.
Beijing thinks its proxies and camouflage provide greater deniability, but the fact is that countries like the US, and many others, are increasingly alarmed and irritated, by the extent of China’s illicit cyberwarfare.