Nearly a decade ago, the United States began naming and berating China for an onslaught of online espionage, the majority of which was carried out using low-level phishing emails against American companies for intellectual property theft.
On Monday, the US again accused China of cyberattacks. But these attacks have been extremely aggressive, showing that China has become a far more sophisticated and mature digital adversary than the one that embarrassed US officials a decade ago.
The Biden government’s indictment of the cyberattacks, along with interviews with dozens of current and former American officials, shows that China has reorganized its hacking operations in the intervening years. While China once carried out relatively simple hacks against foreign companies, think tanks, and government agencies, China is now perpetrating clandestine, decentralized digital attacks on American companies and interests around the world.
Hacks carried out via sloppily worded spearphishing emails by units of the People’s Liberation Army are reported by US officials and the prosecution.
While phishing attacks persist, espionage campaigns have gone underground and use sophisticated techniques. This includes exploiting “zero days” or unknown vulnerabilities in widely used software such as Microsoft Exchange’s email service and Pulse VPN security devices, which are more difficult to defend and allow China’s hackers to remain undetected for long periods of time .
“What we’ve seen in the past two or three years is an appreciation,” said George Kurtz, chief executive of cybersecurity company CrowdStrike. “They work more like a professional intelligence agency than the smash-and-grab operators we’ve seen in the past.”
China has long been one of the greatest digital threats to the United States. In a 2009 secret intelligence estimate, a document that represents the consensus of all 16 US intelligence agencies, China and Russia topped the list of America’s online opponents. But China was seen as the more immediate threat because of the volume of its industrial trade theft.
But that threat is even more worrying now that China has reshaped its hacking operations. Additionally, the Biden government has turned cyberattacks – including ransomware attacks – into a major diplomatic front with superpowers like Russia, and US relations with China have steadily deteriorated on issues such as trade and technology supremacy.
China’s hacking notoriety first came to the fore in 2010 with attacks on Google and the security company RSA and in 2013 with a hack by the New York Times.
In 2015, Obama officials threatened to greet President Xi Jinping of China with an announcement of sanctions on his first visit to the White House after a particularly aggressive breach of the U.S. Department of Human Resources. In this attack, Chinese hackers broke away with sensitive personal information, including more than 20 million fingerprints, for Americans who had received security clearance.
White House officials soon agreed that China would stop hacking American businesses and interests for its industrial benefit. During the Obama administration, security researchers and intelligence officials observed a remarkable decline in Chinese hacker attacks for 18 months.
July 19, 2021, 2:28 p.m. ET
After President Donald J. Trump took office and accelerated trade disputes and other tensions with China, hacking resumed. By 2018, US intelligence agencies had noticed a shift: the People’s Liberation Army hackers had resigned and were replaced by agents working on behalf of the Department of State Security, which is responsible for China’s intelligence, security and secret police.
Intellectual property hacks that benefited China’s economic plans came not from the PLA but from a looser network of bogus companies and contractors, including engineers who worked for some of the country’s leading tech companies, intelligence officials and researchers said.
It was unclear how exactly China was working with these loosely connected hackers. Some cybersecurity experts speculated that the engineers were being paid cash for the state, while others said those on the network had no choice but to do what the state asked. In 2013, a secret memo from the US National Security Agency said: “Exact affiliations with Chinese government agencies are unknown, but their activities indicate likely intelligence needs fed by the Chinese Ministry of State Security.”
The White House provided more clarity on Monday. In its detailed indictment, the US accused the Chinese Ministry of State Security of being behind an aggressive attack on Microsoft’s Exchange email systems this year.
The Justice Ministry separately charged four Chinese nationals for coordinating trade secret hacking from companies in the aerospace, defense, biopharmaceutical and other industries.
According to the charges, Chinese citizens operated with bogus companies such as Hainan Xiandun, which the Ministry of State Security established to give Chinese intelligence agencies plausible deniability. The indictment contained a photo of a defendant, Ding Xiaoyang, an employee of Hainan Xiandun, who received a 2018 Ministry of State Security award for his work in monitoring the front company hacks.
The United States also accused Chinese universities of playing a critical role in recruiting students for the bogus companies and conducting their main business activities, such as payroll.
The indictment also pointed to Chinese “pro-government” hackers for carrying out ransomware attacks that extort millions of dollars from businesses. Control of ransomware attackers was previously focused mainly on Russia, Eastern Europe and North Korea.
Foreign Minister Antony J. Blinken said in a statement Monday that China’s Ministry of State Security has “fostered an ecosystem of criminal contract hackers who carry out both government-sponsored activities and cybercrime for their own financial gain.”
China has also curtailed research into vulnerabilities in widely used software and hardware, which could potentially benefit the state’s surveillance, defense and cyber espionage. Last week, it announced a new policy requiring Chinese security researchers to notify the state within two days if they find vulnerabilities like the “zero days” the country relied on to breach Microsoft Exchange systems.
Politics is the culmination of Beijing’s five-year campaign to hoard its own zero days. In 2016, the authorities abruptly closed China’s most famous private platform for reporting zero days and arrested its founder. Two years later, the Chinese police announced they would enforce laws prohibiting “unauthorized disclosure” of security vulnerabilities. In the same year, Chinese hackers, who were regularly present at large Western hacker congresses, appeared on government orders.
“If you continue to maintain this level of access with the control you have, your intelligence community will benefit,” Kurtz said of China. “It’s a cyber arms race.”