“Here to stay” – Chinese state-affiliated hacking for strategic goals
1. Introduction
1.1 China’s cyberattacks are increasing and becoming more sophisticated
With more economic activity moving online, cyberattacks are gaining relevance. Globally, the European Commission estimates cyberattacks to cost EUR 5.5 trillion.1 Cyberattacks are estimated to have cost German companies EUR 223 billion, or 6 percent of Germany’s GDP, in 2021.2 That same year, 86 percent of German companies suffered a cyberattack that led to some damage, according to one survey.3
As many cyberattacks are not publicized, how many originate in a particular country is hard to establish. Public information about Chinese cyber activities has become difficult to come by. Until about 2015, there were increasing media reports about Chinese cyberattacks.4 Since then, China has worked to keep its capabilities hidden, but there is ample evidence that it is a significant and growing source of cyberattacks. In addition, while most cyberattacks are carried out by criminal actors that only want to make money, China’s ones are more strategic and pose a risk to Europe’s long-term prosperity.
While the involvement of China’s government cannot be proven in all instances, some involvement is likely given its continuous quest to control the country’s cyberspace and cyber actors. Many of the Chinese threat actors have been shown to have direct ties to the People’s Liberation Army, the Ministry of State Security, or to a lesser extent the Ministry of Public Security. There is also solid evidence that the government financially supports the threat actors carrying out the attacks described here.
According to the European Repository of Cyber Incidents (EuRepoC), China was the country responsible for the largest number of cyberattacks worldwide between 2005 and 2023 with 240, followed by Russia with 158. China-originating hackers were responsible for attacks on 1,120 out of a total of 6,335 victims while Russia was responsible for 605.
German companies are seeing increased attacks from China. In 2021, 30 percent of them said they had been attacked from China; in 2022, the figure was 43 percent.5 For example, in 2019, the Chinese hacking group Winnti was found to have attacked major German corporations for years. It had started out targeting the gaming industry to make money and moved on to technology and pharmaceutical companies, and then in 2022 it started attacking government institutions and embassies.6 It was so omnipresent in German companies that one cybersecurity expert joked that “[a]ny DAX [Germany’s most important stock market index] corporation that hasn’t been attacked by Winnti must have done something wrong.”7
Chinese hacking activities have not only increased; they have also become more sophisticated. In the United States, indictments by the Department of Justice, statements by the Federal Bureau of Investigation, and reports by cybersecurity firms show this. Chinese hacking was originally focused on high-volume phishing campaigns8 but it has become increasingly focused on long-term and targeted attacks.9
In Europe, governments and, especially, intelligence services have slowly acknowledged this problem. The 2021 report of Germany’s domestic intelligence agency, the Verfassungsschutz, stated: “In Germany, politics and bureaucracy, economy, science and technology, as well as the military are the main goals of Chinese espionage. To realize its ambitious industrial policy, China uses espionage in business and science.”10
In 2021, NATO, the EU, Australia, and New Zealand publicly attributed the hacking of the Microsoft Exchange Server to China’s Ministry of State Security.11 The group Microsoft identified as the attacker, Hafnium, targeted several industries to exfiltrate information and, after gaining access, installed additional malware to facilitate long-term access.12
1.2 Chinese hacking serves strategic goals like technological innovation
With President Xi Jinping’s expansion of the definition of national security to include economic and technological security, hacking by Chinese state-affiliated actors now serves national strategic goals. This includes technological innovation, gaining information for mergers and acquisitions, targeting dissidents, and traditional espionage against foreign governments. In 2014, China’s ambassador to the United States said, when explaining why cyber activity against commercial secrets is the same as national security espionage: “How can you distinguish from activities that will hurt national security without hurting the nation’s commercial interests?”13
Europe’s prosperity relies in no small part on its technology and innovation strength. Technological innovation is also increasingly driving geopolitical, economic, and military competition. Meanwhile, China, labeled a systemic rival by the EU, is in a race for technology supremacy with the West.14
In 2020, Xi described science and technology as the main battlefield of the economy.15 In the new system of “holistic innovation” and “all-of-state system,” he said, everyone is supposed to come together to serve China’s innovation needs.
China has used legal and illegal ways to induce knowledge and technology transfer.16 Its toolbox includes requiring technology transfer for market access, joint venture requirements for investment in China, and weak protection of intellectual property.17 Chinese firms have tried to poach talent, notably in the semiconductor industry.
For instance, Semiconductor Manufacturing International Corporation has recruited engineers from Taiwan Semiconductor Manufacturing Company on a large scale, at least doubling their salary.18 On the illegal side there is economic espionage. This year, a chip executive went on trial in South Korea for stealing Samsung secrets that would be used to build a factory in China.19 The Dutch semiconductor company, ASML has alleged a that IP theft by a former employee was a “plot to get technology for the Chinese government” and has won this lawsuit.20 Huntsman Corp, a US chemicals maker, argues that its trade secret were stolen in the course of a government-mandated regulatory approval process.21
Hacking is a major illegal way through which China gains access to critical technology. Germany’s Verfassungsschutz has stated that “especially German high-tech companies and world market leaders are in sight of most likely Chinese espionage.”22 According to it, these espionage activities are guided by national and global initiatives of China’s government. These government initiatives set out very specific strategic goals in technology. For example, the Made in China 2025 program aims to make the country a producer of high-tech goods, to increase the share of indigenous fundamental technology, and to increase informatization in the economy.23 Since its inception in 2016, and thus throughout the trade and technology war with the United States, China’s focus on indigenous innovation and science and technology has increased.
Western cybersecurity firms and government agencies agree that China’s targeting of industries for hacking has aligned with the strategic priorities in its Five-Year Plans.
In 2005, the US intelligence community expressed worry about Chinese spies “poking into all sorts of American technology to compete with the U.S.”24 One example was the 2005 Titan Rain campaign that targeted technology restricted from export to China from the United Kingdom and the United States, in addition to targeting defense contractors and the US Department of Defense.25 Titan Rain also revealed the state-private nexus in China’s technology system. In 2011, it was reported that “many US firms whose business revolves around intellectual property complain that their systems are now under constant attack.”26 In 2014, Federal Bureau of Investigation Director James Comey said: “For too long, the Chi-nese government has blatantly sought to use cyber-espionage to obtain economic advantage for its state-owned industries.”27 In 2021, the US government alleged that one hacking campaign originating in Hainan targeted many key technology companies in the West.28 This was reported by Mandiant, a cybersecurity company that identified the first large-scale Chinese state-affiliated advanced persistent threat (APT) actor – Unit 61398 of the PLA (also called APT1) – as responsible. The industries targeted were aligned with strategic priorities listed in China’s Five-Year Plan.29
Europe has also increasingly become worried about Chinese economic espionage through hacking. Germany’s first China strategy, adopted in July 2023, states that “Espionage activities targeting Germany continue to increase, particularly in cyberspace.”30 In the Netherlands, the intelligence agencies have warned about Chinese cyberattacks, stating that “the crown jewels of the Dutch economy are in danger.”31 In its latest annual report, the General Intelligence and Security Service called China “the biggest threat to the Netherlands’ economic security,” and its director-general said that “the Chinese use cyber as a weapon, cyber as a way to commit espionage.”32
1.3 China rearranges its hacking capabilities to make attribution more difficult
China rearranged its hacking capabilities to make attribution more difficult. States have long relied on proxies for cyberattacks to benefit from their expertise and to make attribution more difficult.33 Autocracies tend to use proxies more but these are often quite firmly entrenched in their state bureaucracy and only have limited autonomy, as is the case with China, making their designation as proxy contested.34
Chinese cyber espionage started in the People’s Liberation Army (PLA), whose units often conduct economic in addition to political and military espionage. In 2009, for instance, a State Department cable claimed that a series of attacks could be traced back to the PLA’s Third Department, which oversaw China’s electronic eavesdropping at the time.35
Public naming-and-shaming and US indictments of Chinese hackers became frequent, especially between 2009 and 2015. Due to most hackers being based in the PLA directly, China’s government could not plausibly deny its direct involvement.
In 2015, Xi and President Barack Obama signed an agreement that China and the United States would not engage in commercial cyber espionage.36 This was followed by short-term decrease in Chinese hacking, although it is unclear how much of this was due to China honoring the agreement and how much to a change in its approach.
A reshuffle in China’s military in 2015 – when the Strategic Support Force (战略支援部队) was formed to centralize all PLA space, cyber, electronic, and psychological warfare capabilities37 – made evaluating the effectiveness of the agreement difficult. There has been a considerable increase in the volume and sophistication of Chinese hacking since 2016. Even before this, some of China’s cyber hacking reportedly had moved to the private sector and a vast “elite satellite network of contractors at front companies and universities that work at the direction of China’s Ministry of State Security.”38 Since 2015, this “freelance cyber army” has been guided by the Ministry of State Security, which is officially a full-spectrum intelligence agency, while the PLA has shifted to combat-oriented activities.
2. Hackers serve the party state in several domains
An analysis of the EuRepoC data reveals that, between 2005 and 2021, more than 78 percent of cyberattacks attributed to a Chinese threat actor were for data theft (for comparison, the figure for Russia was 60 percent).39 Half of these also included “hijacking with misuse” (taking control of a computer to be able to run commands or change something on its disk), which often also ultimately serves for data stealing in Chinese attacks conducted by state-affiliated actors. APT1’s attacks on US targets between 2006 and 2013 are one example of hijacking that ultimately served to ensure that the PLA unit had continuous access to “steal broad categories of intellectual properties.”40
Often, Chinese threat actors try to stay undetected by only transferring small amounts of data. They analyze the data on-site and only transfer what is relevant.41 For example, the Winnti group attacks transferred only internal technology documentation, code-signing certificates (that allow supply-chain attacks), and source code.42
State institutions were the most important targets of attacks (with 32 percent). Critical infrastructure, corporate institutions, and science institutions were also very important ones, with the defense, energy, and telecommunications industries as well as military institutions targeted more frequently.
2.1 Chinese attacks target government departments and tech companies
Chinese threat actors have a diverse set of targets but these mirror and support the priorities of China’s leadership, such as those outlined in the Five-Year Plan. They include dissidents, patent holders, and corporate and state counterparts in international negotiations. Chinese hackers have supported Chinese state-owned enterprises in trade negotiations by breaching the networks of important US firms like U.S. Steel and SolarWorld.43 For example, RedAlpha is best known for targeting Tibetans in exile but the infrastructure it uses (including servers and IP ranges) has also been used for hacking foreign governments. In several cases, government institutions were targeted during periods of dialogue with China.
Some actors seem to focus on specific strategic sectors. APT40, for instance, targets research projects at universities relating to naval capabilities, especially government-sponsored projects.44 Others, like APT24, focus on traditional espionage and stealing documents with political significance.45 Many collect information with political relevance as well as IP-related information in key industries. In 2018, RedAlpha targeted Daimler AG one day after the company cut its profit outlook as a result of growing tensions between China and United States.46 All of this supports the argument that these activities originating from China are state-affiliated.47
Attacks for intelligence collection before imminent events, not only high-level visits but also mergers and acquisitions talks, has been observed consistently. For example, a significant increase in Chinese scanning activity was observed in Alaska in 2018, just before a trade delegation from the US state was due to travel to China.48 This pattern has also been observed with the likes of Germany and Belt and Road Initiative countries.49
2.2 China’s government is carrying out a campaign for cyber-espionage
The fact that many attacks originate in China is not necessarily evidence of government action. Given that China has 25 percent of the global online population and hosts many online servers with no or minimal protection, it is not surprising that many attacks originate in the country or can be traced back there.50 However, based on EURepoC data, the research by international cybersecurity firms, and advisories from intelligence agencies, it is clear that China’s government is carrying out a deliberate campaign to obtain intelligence using hacks.
Sustained campaigns like Titan Rain show how an attack vector or exploit travels through China’s hacking scene and is shared between actors. If one of the actors involved is identified as a Chinese government one, this makes it likely that all the others are also state-affiliated, especially taken together with analysis of their TTP, their targets, and open-source intelligence about specific hackers.51
There is also evidence that Chinese hacking groups obtain information about targets from government sources. The 2021 Vulnerability Disclosure Law requires that all companies, including cybersecurity and hacking companies, operating in China need to report any vulnerabilities to the authorities within two days. Two days is often not enough time for companies to patch a vulnerability,52 and, according to Microsoft, the increased use of zero-days (previously unknown exploits) by China-based actors is likely connected to this requirement.53 This suggests some level of coordination between government defensive and offensive forces.
Many Chinese threat actors have multiple roles. They conduct espionage of foreign government actors and conduct economic espionage of foreign private-sector actors, especially in areas of strategic importance for the state. Some also use the same tools and resources for personal profit. This further muddies the water for attribution.
APT41, the most prolific threat actor identified with 16 attacks, has conducted state-sponsored espionage as well as “financially motivated activity potentially outside of state control.”54 Since the Chinese authorities have regularly cracked down on criminal hackers, such activities suggest that the Ministry of State Security might not have as much control over some hacking groups as it would like to have.55
2.3 China’s government tries to increase control over hackers
The risk associated with the existence of proxies and a freelance cyber army has become apparent to China’s government. After Chinese hacktivists going by the name Honker or Red Hacker(红客) attacked the US embassy in Belgrade 1999 following the US bombing of the Chinese embassy there, the government became more serious about reining in its hackers.56 The government has made efforts to phase out criminal freelancers. In 2015, the Operation Clean Internet included some internationally active threat actors among its targets for arrest.57
China’s government is trying to restrict hackers to national hacking competitions instead of international ones. In 2017, the founder of China’s largest cybersecurity company, Qihoo 360, publicly criticized Chinese citizens travelling overseas for hackathons. In 2018, the organizers of Pwn2Own, an important international cybersecurity competition, announced that Chinese citizens could no longer participate in the contest due to domestic Chinese regulation.58 Chinese hacking teams still place fourth on CTFTime, the largest international “Capture the Flag” platform internationally. Since 2018, the Tianfu Cup, a more real-world contest than many Western ones, has been hosted in China by major Chinese cybersecurity companies as well as Alibaba, Baidu, and Huawei.59 Modified exploits showcased at this event have been used by Chinese authorities to surveil the Uyghur population.60
The government has also stepped up its efforts to educate a huge cyber workforce that is also loyal to the Chinese Communist Party to shore up both cyber security and hacking without posing threats to the Party.61 The National Cybersecurity Center in Wuhan, an institution with a large campus set up to train cybersecurity workers, to incubate cybersecurity companies, and to conduct research, is a good indication of the significance the party-state gives to cybersecurity. Private-sector actors have also stepped up their education efforts, as their cyber job adverts show. There is a lot of demand for competition and “Capture the Flag” designers, and there has been a surge in domestic hacking competitions.
China’s government now has a firm grip on Chinese hackers, who often work for it through a series of shell companies loosely affiliated with regional branches of the Ministry of State Security (MSS) instead of being directly in the PLA hierarchy. Some of these hackers and contractor companies also contribute to domestic repression and support the Ministry of Public Security in obtaining evidence to use in interrogations, wiping devices, and censorship.62 Staying on the party’s good side allows some of these hackers to conduct financially motivated side activities, although regular crackdowns make this riskier.63