How China transformed into a prime cyber threat to the US

Hacks that were conducted via sloppily worded spearphishing emails by units of the People's Liberation Army are now carried out by an elite satellite network of contractors at front companies and universities

By Nicole Perlroth

Published: Jul 20, 2021

Anne Neuberger, the deputy national security adviser for cyber and emerging technology, addresses a news conference at the White house in Washington on Feb. 17, 2021, about the SolarWinds cyber attack. The Biden administration on Monday, July 19, 2021, formally accused the Chinese government of breaching Microsoft email systems used by many of the world’s largest companies, governments and military contractors, as the United States joined a broad group of allies, including all NATO members, to condemn Beijing for cyberattacks around the world. (Pete Marovich/The New York Times)

Nearly a decade ago, the United States began naming and shaming China for an onslaught of online espionage, the bulk of it conducted using low-level phishing emails against American companies for intellectual property theft.

On Monday, the United States again accused China of cyberattacks. But these attacks were highly aggressive, and they reveal that China has transformed into a far more sophisticated and mature digital adversary than the one that flummoxed U.S. officials a decade ago.

The Biden administration’s indictment for the cyberattacks, along with interviews with dozens of current and former U.S. officials, shows that China has reorganized its hacking operations in the intervening years. While it once conducted relatively unsophisticated hacks of foreign companies, think tanks and government agencies, China is now perpetrating stealthy, decentralized digital assaults of American companies and interests around the world.

Hacks that were conducted via sloppily worded spearphishing emails by units of the People’s Liberation Army are now carried out by an elite satellite network of contractors at front companies and universities that work at the direction of China’s Ministry of State Security, according to U.S. officials and the indictment.

While phishing attacks remain, the espionage campaigns have gone underground and employ sophisticated techniques. Those include exploiting “zero-days,” or unknown security holes in widely used software like Microsoft’s Exchange email service and Pulse VPN security devices, which are harder to defend against and allow China’s hackers to operate undetected for longer periods.

“What we’ve seen over the past two or three years is an upleveling” by China, said George Kurtz, CEO of the cybersecurity firm CrowdStrike. “They operate more like a professional intelligence service than the smash-and-grab operators we saw in the past.”

China has long been one of the biggest digital threats to the United States. In a 2009 classified National Intelligence Estimate, a document that represents the consensus of all 16 U.S. intelligence agencies, China and Russia topped the list of America’s online adversaries. But China was deemed the more immediate threat because of the volume of its industrial trade theft.

But that threat is even more troubling now because of China’s revamping of its hacking operations. Furthermore, the Biden administration has turned cyberattacks — including ransomware attacks — into a major diplomatic front with superpowers like Russia, and U.S. relations with China have steadily deteriorated over issues including trade and tech supremacy.

In 2015, Obama officials threatened to greet President Xi Jinping of China with an announcement of sanctions on his first visit to the White House, after a particularly aggressive breach of the U.S. Office of Personnel Management. In that attack, Chinese hackers made off with sensitive personal information, including more than 20 million fingerprints, for Americans who had been granted a security clearance.

White House officials soon struck a deal that China would cease its hacking of American companies and interests for its industrial benefit. For 18 months during the Obama administration, security researchers and intelligence officials observed a notable drop in Chinese hacking.

After President Donald Trump took office and accelerated trade conflicts and other tensions with China, the hacking resumed. By 2018, U.S. intelligence officials had noted a shift: People’s Liberation Army hackers had stood down and been replaced by operatives working at the behest of the Ministry of State Security, which handles China’s intelligence, security and secret police.

Hacks of intellectual property, that benefited China’s economic plans, originated not from the PLA but from a looser network of front companies and contractors, including engineers who worked for some of the country’s leading technology companies, according to intelligence officials and researchers.

It was unclear how exactly China worked with these loosely affiliated hackers. Some cybersecurity experts speculated that the engineers were paid cash to moonlight for the state, while others said those in the network had no choice but to do whatever the state asked. In 2013, a classified U.S. National Security Agency memo said, “The exact affiliation with Chinese government entities is not known, but their activities indicate a probable intelligence requirement feed from China’s Ministry of State Security.”

On Monday, the White House provided more clarity. In its detailed indictment, the United States accused China’s Ministry of State Security of being behind an aggressive assault on Microsoft’s Exchange email systems this year.

The United States also accused Chinese universities of playing a critical role, recruiting students to the front companies and running their key business operations, like payroll.

The indictment also pointed to Chinese “government-affiliated” hackers for conducting ransomware attacks that extort companies for millions of dollars. Scrutiny of ransomware attackers had previously largely fallen on Russia, Eastern Europe and North Korea.

Secretary of State Antony Blinken said in a statement Monday that China’s Ministry of State Security “has fostered an ecosystem of criminal contract hackers who carry out both state-sponsored activities and cybercrime for their own financial gain.”