Chinese hackers are getting bigger, better and stealthier

Mint

4 days ago

China's power is growing rapidly every year. From warships to missiles, the country is churning out hardware at an extraordinary rate. In the unseen, online world, it is making similar leaps. On March 4th America's Justice Department charged eight Chinese nationals with large-scale hacking of government agencies, news outlets and dissidents in America and around the world, on behalf of i-Soon, a Chinese company, at the direction of the Chinese government. It also indicted two officials who it said 'directed the hacks".
These instances are the tip of a vast iceberg. Over the past decade China's hacking programme has grown rapidly, to the point that in 2023 Christopher Wray, then the fbi director, noted it was larger than that of every other major nation combined. China's growing heft and sophistication have yielded success in three main areas.
The first is political espionage, linked primarily to the Ministry of State Security (mss), China's foreign-intelligence service. Last year it emerged that one group of Chinese hackers, dubbed Salt Typhoon, had breached at least nine American phone companies, giving them access to the calls and messages of important officials. Ciaran Martin, who led Britain's cyber-defence agency from 2016 to 2020, compares it to the revelations in 2013 by Edward Snowden, a government contractor, that American spy agencies were conducting cyber-espionage on a huge scale. China was 'gaining vast access to the nation's communications via a strategic spying operation of breathtaking audacity," he says.
A second is in domains of little espionage value: hacking that lays the groundwork for sabotage in moments of crisis or war. These efforts are led by the People's Liberation Army (pla), China's armed forces. In 2023 it became apparent that a pla-linked hacking group known as Volt Typhoon had, over several years, burrowed into an extraordinary range of American critical infrastructure, from ports to factories to water-treatment plants, across the continental United States and in strategic American territories such as Guam.
All of that builds on a third type of hacking: the industrial-scale theft of intellectual property. In 2013 Mandiant, a cyber-threat intelligence firm, which is now part of Google, made waves when it exposed 'apt1", the label for a group of hackers linked to the pla. apt1 was not focused on stealing political secrets or turning off power grids but on stealing blueprints, manufacturing processes and business plans from American firms. A year later America's government took the then unprecedented step of indicting five pla hackers for this activity. Keith Alexander, a former head of the National Security Agency (nsa), America's signals-intelligence service, described this as 'the greatest transfer of wealth in history".
That period ended with a partial truce. In 2015 Barack Obama, then America's president, and Xi Jinping, his Chinese counterpart, announced a 'common understanding". Neither country would conduct cyber-espionage to steal intellectual property. The agreement worked. Shortly afterwards commercial espionage of this sort fell dramatically, if temporarily. But that was simply the start of the new era of political espionage and sabotage.
All of these areas have been affected by three big shifts within China's hacking programmes. One is who is doing the hacking. In 2015-16, shortly after being shocked by the Snowden revelations, China reshuffled its cyber forces. The pla was forced to retrench, focusing on military intelligence and reconnaissance—like Volt Typhoon—and its activity declined. The mss took over political-intelligence gathering—like Salt Typhoon—which it conducted with gusto, and commercial espionage, which continued on a smaller scale. 'Nowadays," writes Tom Uren, author of 'Risky Business", a cyber newsletter, 'the mss is the big kahuna."
Quieten down, lads
Second, Chinese hacking got better. About 20 years ago, when cyber-security firms began tracking the threat, Chinese hackers were 'very, very loud", says John Hultquist of Mandiant, 'incredibly willing to set off alarms, incredibly willing to be caught". A European official concurs. Even five years ago, she says, 'Chinese cyber operators were not considered very sophisticated." That has now changed. 'The speed at which they improve always seems to come as a surprise to Westerners, even though it really shouldn't," says the official. 'If China wants to accelerate in an area, then they will, and they have very smart people."
That points to a third shift. Chinese cyber operations now draw increasingly on a large and flourishing private-sector ecosystem which has become a talent pipeline, enabler and force multiplier for Chinese cyber operations around the world. Consider the mss-linked Tianfu Cup in the south-western city of Chengdu (which has emerged as a hub for this kind of activity). It is one of many 'capture the flag" (ctf) competitions in which tech-savvy youngsters compete to show off their hacking prowess by finding and exploiting vulnerabilities in software. China has hosted about 130 of these sorts of events since 2004, most of them after 2014, and many backed by government ministries, according to data collected by Dakota Cary, a consultant at SentinelOne, a cyber-security company, and Eugenio Benincasa of the Centre for Security Studies at eth Zurich.
These events can draw huge crowds. The Wangding Cup is organised by the Ministry of Public Security (mps), which runs the country's police force and gathers domestic intelligence. The cup is known as the 'cyber-security Olympics" and can attract 30,000 people, note Mr Cary and Mr Benincasa. The tournaments are scouting grounds for Chinese spooks. As with elite sports, a handful of star hackers tend to drive a team's success. A decade ago Chinese hackers were allowed to travel to contests abroad; that is now restricted. The vulnerabilities they discover—weaknesses in code that can be used to gain access—'are siphoned straight into the state apparatus", says a person familiar with the process. In 2021 the government punished Alibaba Cloud, a tech firm, for divulging a vulnerability without first telling the state.
Talent contests are just the start. Last year, documents belonging to i-Soon were leaked on the internet. They showed that the firm was functioning as a private signals-intelligence agency whose targets spanned 23 countries: Nepal's presidential palace, road-mapping data from Taiwan, South Korean telephone logs, Indian immigration systems and Thailand's intelligence service. i-Soon is one of many such firms in Chengdu.
The firms are not unstoppable ninjas—the leaked files show evidence of internal arguments, disorganisation and failure—but they add to China's cyber heft. Even where mss hackers do the hacking themselves, they often rely on this corporate hinterland for the tools and infrastructure to enable their attacks. When Chinese hackers first started, they used to come, undisguised, 'right out of Shanghai networks", says Mr Hultquist. Today they make use of operational-relay-box (orb) networks, built and maintained by private firms, which use compromised devices around the world, such as home internet routers, to disguise the origin of attacks.
The increasing scale, sophistication and aggression of Chinese hacking are 'by far the most significant shift in the cyber-threat landscape in well over a decade", notes Mr Martin. Volt and Salt Typhoon, on their own, 'are strategic compromises of the West on a scale hitherto unseen by any other cyber power", he warns.
It is not yet an all-out cyberwar. 'What separates China from their peers like Russia, North Korea and Iran", says Mr Hultquist, is that those states routinely cross the line from espionage to disruption, from spying and reconnaissance to outright sabotage. China has 'never pulled the trigger", he says. Even in American infrastructure networks, China has stopped short of inserting destructive code. 'We can see them doing the reconnaissance. We can see them getting into place. They're not showing us the weapon."