According to research released this week, hundreds of private cybersecurity companies, technology service providers and universities are helping the PLA develop offensive cyber capabilities to support Xi Jinping's China's strategic military, economic and geopolitical goals
“The existence of state-sponsored threat groups operating under the direction of the Chinese state has been well documented for some time,” write researchers from France's Orange Cyberdefense in their report, based on eight months of analysis of China's cyber defense capabilities. “China's offensive cyber capabilities are in fact supported by a complex, multilevel ecosystem involving a wide range of state and non-state actors.”
Their findings provide deeper context on the troubling success that Chinese cyber actors have had infiltrating US critical infrastructure, breaching government, military, and business networks, not to mention theft of defense data, trade secrets, and intellectual property from American entities and others around the world.
Partial organigram of the Chinese state entities directly or indirectly involved in offensive cyber operations. Credit Orange Cyberdefense
In February 2024, a leak at a Chinese company Sichuan i-SOON provided further evidence of the extensive public-private cooperation in support of Chinese state cyber operations. From official contracts to internal communications, the leaked documents exposed i-SOON's role as a long-time contractor for the MSS, carrying out cyber campaigns against targets in over 70 countries, from France to Rwanda or Nepal.
"China's engagement with non-state actors is not confined to private companies. The government has a longstanding tradition of integrating top universities into national security efforts. The "Seven Sons of National Defense", for instance, are key academic institutions affiliated with the Ministry of Industry and Information Technology, contributing significantly to the state's defense R&D efforts. As it turns out, this collaboration also extends to cyberspace, as the academia increasingly supports state-sponsored cyber campaigns, often focused on espionage to advance China's political and economic interests."
According to expert David Kilcullen, “Liminal Warfare” involves the integration of economic, legal, military, intelligence, and cyber policies into a single, seamless mix of activities and maneuvers focused on defining operations with the adversary before launching a military operation.
A multilevel public/private ecosystem
The synergies have enabled quicker government access to cutting-edge technology and talent, especially in critical areas such as artificial intelligence (AI), big data analytics, 5G wireless, and cloud computing, says Dan Ortega, security strategist at Anomali. "China's collaboration between its tech companies and state entities has dramatically accelerated the development of its cyber-offensive capabilities," Ortega says. Importantly, it has also allowed the nation to scale state-sponsored cyber missions effectively. And that collaboration enables government access to vast data sets collected by companies, facilitating enhanced targeting and more-effective cyberattacks, he notes.
The Five Theatre Commands of China's People Liberation Army. Credit Orange Cyberdefense
"China fosters formal and informal partnerships with tech firms through initiatives like the Military-Civil Fusion strategy, mandating companies to share their technological advancements and insights with the state," he says.
Private companies as hack-for-hire contractors
Government stakeholders work with hundreds of private companies, large and small, to carry out cyber attacks against even foreign entities that are of strategic interest to the CCP, the report noted.
One example of big-player involvement in the report is Shanghai stock exchange-listed Integrity Technology Group (ITG), which the FBI has linked to the Flax Typhoon APT. Like ITG, many of China's top technology companies are also the state's biggest cyber contractors, according to Orange's report. "Enterprises such as ThreatBook, Qihoo360, and Qi An Xin not only provide defensive security solutions to public agencies but are also believed to indirectly contribute to offensive cyber operations."
"The inclusion of private enterprises in the PRC's hacking operations provides the Chinese state with several strategic advantages. One key benefit is plausible deniability; when an attack is traced back to a private company, it may be more challenging for Western authorities to establish a direct link to the Chinese government. Even after companies like Chengdu 404 are sanctioned by foreign governments, they often continue their operations within China and may even receive financial support from the state, allowing them to maintain business as usual. Significantly, private contractors offer the state access to a pool of hacking talent within the private sector, bringing cyber offensive expertise that may not be readily available within governmental agencies."
Extract of our map visualizing some of the front companies tied to MSS Hainan Bureau and all associated with the APT40 cluster by Intrusion Truth. Credit Orange Cyberdefense
At the other end of the spectrum are dozens of smaller and medium-size private entities that often act as subcontractors for the bigger companies and deliver a range of highly specialized services. One example is i-Soon, a 72-person Shanghai firm whose ties to the Chinese government emerged after a leak earlier this year. "These entities often act as subcontractors to the industry giants, filling the gap in their cyber offensive competencies and further fragmenting the hack-for-hire supply chain," Orange's researchers wrote. The company found that while in many instances, China's PLA, MSS, and others worked with legitimate private entities, others created shell companies that acted as fronts for procuring cyberattack infrastructure.
Universities as hubs for offensive security research
The Chinese government's efforts to rope in academic institutions began in earnest in 2017. Today many universities — including eight of the C9 League of China's top nine public universities — are engaged in state-sponsored cyber-offense research, according to Orange. Their contributions range from advanced research on the use of AI in cybersecurity to helping state operatives translate stolen documents and gathering open source intelligence.
Like many other nations, China maintains several military universities that work closely with the armed forces. It comes as no surprise, for instance, that the PLA Information Engineering University has been involved in a project aiming at testing malware effectiveness for the military, while the National University of Defense Technology hosts a lab focused on electromagnetic interference against information systems, the report noted.
C9 League Universities in China. (Fudan University, Shanghai Jiao Tong University, Harbin Institute of Technology, Nanjing University, Peking University, Tsinghua University, University of Science and Technology of China, Xi'an Jiaotong University, and Zhejiang University). Credit Credit Orange Cyberdefense
Additionally, other universities play a crucial role in the development of cyber ranges, often in collaboration with private enterprises and the military. Cyber ranges are virtual environments consisting of interconnected virtual machines that simulate real-world computer networks, allowing users to practice security operations and hone their skills in a controlled setting. For example, Shanghai Jiao Tong University, in collaboration with cyber range complex Peng Cheng Lab, has conducted advanced research on the use of AI in cybersecurity using a supercomputer. The school is among the most advanced in research at the intersection of AI and cyberspace, alongside Hainan University and Southeast University.
More striking, however, is the extent of collaboration between military structures and civilian universities for offensive operations directly. Several schools, such as Southeast University or Xidian University, have received research grants from the PLA for information security R&D and have directly contributed to the army's operational capabilities. In some cases, universities' infrastructure may be leveraged by state-linked threat actors. For example, Unit 61726 of the Third Department of the PLA, known as Circuit Panda, allegedly used Wuhan University's facilities for cyber operations targeting Taiwanese entities. Among the C9 League universities – the nine most prestigious Chinese universities enjoying robust state funding – only Fudan University has yet to be linked to any state-sponsored offensive security operations.
Comments