Chinese cyber espionage: the invisible war threatening the West
- Gabriele Iuvinale
- 3 apr
- Tempo di lettura: 10 min
The Chinese government coordinates cyber espionage operations through intelligence agencies and private contractors. Attacks target critical infrastructure, intellectual property and sensitive communications, posing a growing threat to international security
On March 4, the US Department of Justice accused 10 Chinese citizens of committing large-scale hacking of government agencies, media outlets, and dissidents in America and around the world, on behalf of i-Soon, a Chinese company, at the behest of the Chinese government. It also indicted two officials of the Chinese Ministry of Public Security (MPS) that they would "direct the hacks."
Chinese cyber espionage operations and the U.S. prosecution of i-Soon
According to documents in possession of the judicial authority, China's domestic intelligence, the MPS, and the external threat intelligence, the Ministry of State Security (MSS), employed a vast network of private companies and domestic contractors to hack and steal information in order to hide the Chinese government's involvement. In some cases, the MPS and MSS have paid private hackers in China to exploit specific victims.
In many other cases, hackers targeted victims speculatively.
They identified vulnerable computers and penetrated them to exfiltrate information to sell directly or indirectly to the Beijing government.
The growth of Chinese cyber espionage and its main areas of activity
This is not an isolated case. Over the past decade, China's hacking program has grown rapidly, to the point that in 2023 Christopher Wray, then director of the FBI, found it was larger than that of every other major nation combined. China's growing power and sophistication has produced successes in three main areas: in politics, in sabotage of critical facilities, and in the theft of intellectual property on a planetary scale.
At dinner employs computer networks, electronic warfare, economic, diplomatic, legal, military, intelligence, psychological, military deception and security operations in an integrated manner to weaken states, make them economically dependent on Beijing and more willing to 'a new authoritarian world order with distinctive Chinese characteristics'.
For this reason, unlike traditional interpretations, Beijing's state hacking must be seen in a broader context, where the control of technological means, strategic infrastructures and the most important global supply chains integrate "trans military" and "non-military" war operations, as described by two Chinese PLA colonels in the 1999 book Unrestricted Warfare.
This is the so-called Liminal Warfare, an incremental war, where the spectrum of competition and confrontation with the West is so broad that the battlefield is everywhere and the war is total.
Chinese political cyber espionage and surveillance operations
This form of espionage is primarily linked to the Ministry of State Security (MSS), China's foreign intelligence service. Last year it emerged that a group of Chinese hackers, nicknamed Salt Typhoon, had violated at least nine American telephone companies, giving them access to calls and messages from important officials.
Ciaran Martin, who led Britain's cyber defense agency from 2016 to 2020, compares it to revelations in 2013 by Edward Snowden, a government contractor, that American spy agencies were conducting large-scale cyber espionage. With the Salt Typhoon, China was "gaining vast access to the nation's communications through a strategic espionage operation of breathtaking audacity," said Ciaran Martin in a recent analysis entitled “Typhoons in Cyberspace”.
The use of cyber espionage for electronic warfare
In electronic warfare, hacking is used for sabotage in times of crisis or war. These efforts are led by the People's Liberation Army (PLA), the armed wing of the Chinese Communist Party,
In 2023 it was discovered that a group of related hackers known as There was Typhoon, has for several years penetrated an extraordinary range of American critical infrastructures, from ports to factories to water treatment plants, throughout the continental United States and in strategic American territories such as Guam.
“Volt Typhoon is a military operation for strategic political and potentially military purposes,” he claims Ciaran Martin. Managed by the IT unit of the People's Liberation Army, it involves the insertion of preparatory facilities - "digital traps", as some have called them - into all sorts of American critical infrastructure.
In addition to hitting a U.S. power utility in Massachusetts in 2023 in a sustained attack that aimed to exfiltrate sensitive data regarding its operational technology (OT) infrastructure, Volt Typhoon gained notoriety last year for a series of attacks to US telecommunications, among others critical infrastructures globally. The Volt Typhoon Voltzite subgroup's action at the Little Electric Light and Water Departments (LELWD) prompted the FBI and security firm Dragos to act jointly, revealing details of the attack and its mitigation in a case study published March 2025.
The theft of intellectual property through cyber espionage
The most damaging channel for intellectual property theft is cyber espionage. Cyber intrusions allow Chinese companies, in some cases acting under the direction of the CCP or with government assistance (so-called State Cyberespionage), to log in to information on foreign companies' proprietary operations and project financing information, as well as to steal IP and technology.
China uses government-backed and coordinated cyber espionage campaigns to steal information from a variety of foreign trading companies, including those in the oil and energy, steel and aviation industries. Cyber espionage is both a means of stealing science and technology from foreign states and a method of gathering information for potential attacks against the military, governmental and commercial technical systems of target countries.
In the United States, the investigative data on Chinese economic espionage are impressive: in 2014 five PLA hackers were indicted for economic espionage; in November 2017 three Chinese hackers who had worked at the cybersecurity company Boyusec were indicted for theft of confidential business information; in December 2018 there was the indictment of two Chinese citizens for intellectual property theft; in May 2019 there was an investigation into the hacking of Anthem; in February 2020 it fell to four military hackers for targeting Equifax; in July 2020 it was the turn of two hackers associated with China's Ministry of State Security (MSS) for hacking intellectual property, including Covid-19 research; members of a Chinese hacking group known as APT 41 were indicted in September 2020, and other associated hackers in July 2021 all MSS.
L’accusation of December 2018 was part of the US-led effort to raise the issue of Chinese cyber-espionage globally. In that case the campaign, known as Cloud Hopper, had resulted in a supply chain attack involving managed service providers such as Hewlett Packard and IBM that provide cloud and other IT services to customers. The Department of Justice had indicted two Chinese citizens who, according to the prosecution, were members of a well-known hacker group operating in China. Also according to the indictment, the defendants worked for the Huaying Haitai Science and Technology Development Company and acted in association with the Tianjin State Security Bureau of the Ministry of State Security.
In 2017, the Commission on the Theft of American Intellectual Property has estimated that intellectual property theft costs the U.S. economy up to $600 billion a year, with a significant impact on jobs and innovation. This cipher approaches the Pentagon's annual national defense budget and exceeds the total profits of the top 50 Fortune 500 companies.
Such cyber intrusions, therefore, represent a fundamental threat to the economic competitiveness and national security of the affected states.
The global impact of Chinese cyber espionage
In June 2024, Dutch military intelligence (MIVD) said Chinese cyber espionage is more extensive than initially thought, targeting Western governments and defense companies. The agency MIVD has stated, in particular, that a group of hackers supported by the Chinese state, responsible for a cyber attack on the Dutch Ministry of Defense in 2023, caused at least 20,000 victims worldwide in just a few months, and possibly many more.
In 2018, the Czech National Cyber and Information Security Agency (NUKIB), the central body for cybersecurity of the Czech Republic, issued a public notice on China-related cybersecurity risks. Since then, the country has developed one of the most rigorous FDI screening mechanisms and significant cybersecurity capabilities vis-à-vis Beijing. Furthermore, it is also working on responses to foreign information manipulation and interference.
Dozens of European parliamentarians have been targeted by Chinese cyberattacks in recent years, according to US prosecutors. In March 2024, in particular, the United States Department of Justice he issued an indictment, saying Chinese hackers with ties to the nation's spy agency, the Ministry of State Security (MSS), have targeted "every European Union member" of the Inter-Parliamentary Alliance on China (IPAC), a coalition of lawmakers critical of Beijing. According to the indictment, in 2021 the hackers sent “more than 1,000 emails to more than 400 unique accounts of individuals associated with “IPAC" to try to collect data about members' Internet activities and digital devices. According to a detailed analysis, Chinese espionage would also have infiltrated the European Parliament.
Critical technologies as targets of Chinese cyber espionage
ASML, the well-known Dutch semiconductor lithography company, is facing “thousands of security incidents per year”, with several attempts to Chinese infiltration successful that have been made public. Research champions like l'Imec, based in Belgium, are other prime targets of the Chinese. In recent years, the Belgian authorities have expelled the institute's Chinese researchers, suspected of espionage. In response, the European Union is increasing security. The Commission has identified advanced semiconductors as one of four critical technology areas requiring risk assessments and enhanced research safety.
Structure and organization of Chinese cyber espionage
Second Google Threat Intelligence Group China increases its espionage operations using advanced persistent threat groups such as APT41 to combine ransomware distribution with intelligence collection. “Deliberately conflating ransomware activities with espionage intrusions supports the Chinese government's public efforts to confuse attribution by conflating cyber espionage activities with ransomware operations.”
APT41 would operate from China and would be “most likely a contractor of the Ministry of State Security”. In addition to state-sponsored espionage campaigns against a wide range of sectors, APT41 has a long history of financially motivated operations. The group's cybercrime activity has focused primarily on the video game sector, including the spread of ransomware.
Chinese state-sponsored cyber espionage constitutes only one part of the broader activity that falls within the scope of cyber warfare.
Techniques and tactics of Chinese cyber espionage
Mandiant Threat Intelligence (one of the leading cybersecurity intelligence companies globally) states that, after the military and intelligence restructuring desired by Xi Jinping in 2016, the technique used by cyber espionage groups affiliated with China has constantly evolved, becoming more stealthy and agile.
According to Mandiant, Beijing's cyber espionage activity is under both the Ministry of State Security (MSS) and the PLA, but has differences in geographic scope, alignment of operations and victims. While threat groups affiliated with the PLA Operational Theater Commands, such as Tonto Team and TEMP and Overboard, concentrate operations within the areas of responsibility of their respective Commands, those of MSS, such as APT41, APT5 and APT10, operate in a much broader geographic scope, such as the United States, Europe, Latin America, the Caribbean and North America.
In essence, the MSS conducts domestic counterintelligence, non-military foreign intelligence operations, and supports aspects of political security.
Mandiant Threat Intelligence he claims that Chinese groups, in an effort to blend in with other threat activity, 235 are increasingly likely to use publicly available malware.
What distinguishes Chinese cyber espionage activity from that of other states are the national interest pursued and the scale of the operations. Beijing has unique requirements in intelligence gathering, for example, in Hong Kong, Tibet and the Uyghur community; and in terms of scale, Chinese activity is greater. Basically, Mandiant believes that Chinese state-linked groups that conduct compromises exploit more zero-days and are numerically larger than those of other states. Chinese actors use a variety of “initial entry vectors” such as email phishing and social engineering, strategic web compromise, and SQL injection. They also have exploited effectively n-day and zero-day compromises in 2020/2021 more than any other state.
As of early 2020, Mandiant has observed that one of the most prolific Chinese cyber espionage groups, APT41, had conducted a large-scale campaign, exploiting vulnerabilities in Citrix, Cisco and Zoho corporate network and endpoint management devices, managing to target more than 75 companies present in over 20 countries with activities ranging from aerospace to defense, pharmaceuticals, energy and public utilities. From January to March 2021, at least five sets of Chinese assets have exploited Microsoft Exchange “ProxyLogon” vulnerabilities to gain access to targeted networks.
Mandiant also has attributed many intrusions conducted between August 2020 and March 2021 in the defense, government, high-tech, transportation and financial sectors of the United States and Europe in two Chinese clusters, one of which is suspected to have ties to the group known as APT5. The Chinese group called APT10 also allegedly conducted third-party compromise activities via MSPs in North America and Europe.
During an investigation in response to 2019 incidents at a telecommunications network provider, Mandiant attributed the malware named MESSAGETAP to the APT41 group. Supply chain compromise incidents conducted by Chinese actors from 2013 to 2020 are nearly double those of Russia and North Korea combined.
APT41 is also known for carrying out large-scale compromises of the supply chain of video game and enterprise software, such as the 2018 campaign affecting the ASUS update utility, nicknamed by Kaspersky “Operation ShadowHammer”, which involved more than 50,000 systems.
The role of universities in Chinese cyber espionage
Chinese universities also collaborate with the PLA and the MSS to carry out state-sponsored cyber espionage operations.
The Shanghai Jiao Tong University helps to conduct operations for the Chinese army. Zhejiang University and Harbin Institute of Technology are places of recruitment of Chinese hackers. Xidian University makes its students acquire a practical experience at a provincial MSS Office and also had a relationship with the Third Department of the PLA General Staff before being reorganized into the Department of Network Systems in 2015; one of its graduate programs is jointly administered with the Guangdong Bureau of the China Information Technology Security and Evaluation Center (or Guangdong ITSEC), an MSS Bureau that operates a prolific hacking contract team. Southeast University has a relationship lasting with the security services and jointly operates the Purple Mountain Lab with the PLA Strategic Support Force, where researchers work together on “important strategic requirements,” computer operating systems and interdisciplinary cybersecurity research. This University also receives funding from PLA and MSS to support the development of China's cyber capabilities. Shanghai Jiaotong University's (SJTU) Bachelor of Science in Cyber Security program is held in a base information engineering of the PLA; its Cyberspace Security Science and Technology Research Institute, home of the Network Comparison and Information System Security Testing program, conducts research that enable IT operations. Within this program, the SJTU he states to work on “testing and evaluation of networks and information systems, security testing for intelligent connected networks, APT attack and defense testing, and key cyber range technology”. MSS's university partners in recruiting talent are China University of Science and Technology, Shanghai Jiao Tong University, Xi'an Jiaotong University, Beijing Institute of Technology, Nanjing University and Harbin Institute of Technology. Some Chinese cybersecurity companies, such as Beijing TopSec, collaborate with the PLA in hacking campaigns, training operators and training future hackers.
The analysis was published in Italian in Agenda Digiale.
Commentaires