Over the past decade, China reorganized its hacking operations, turning into a sophisticated and mature adversary.
Nearly a decade ago, the United States began naming and shaming China for an onslaught of online espionage, the bulk of it conducted using low-level phishing emails against American companies for intellectual property theft.
On Monday, the United States again accused China of cyberattacks. But these attacks were highly aggressive, and they reveal that China has transformed into a far more sophisticated and mature digital adversary than the one that flummoxed U.S. officials a decade ago.
The Biden administration’s indictment for the cyberattacks, along with interviews with dozens of current and former American officials, shows that China has reorganized its hacking operations in the intervening years. While it once conducted relatively unsophisticated hacks of foreign companies, think tanks and government agencies, China is now perpetrating stealthy, decentralized digital assaults of American companies and interests around the world.
Hacks that were conducted via sloppily worded spearphishing emails by units of the People’s Liberation Army are now carried out by an elite satellite network of contractors at front companies and universities that work at the direction of China’s Ministry of State Security, according to U.S. officials and the indictment.
While phishing attacks remain, the espionage campaigns have gone underground and employ sophisticated techniques. Those include exploiting “zero-days,” or unknown security holes in widely used software like Microsoft’s Exchange email service and Pulse VPN security devices, which are harder to defend against and allow China’s hackers to operate undetected for longer periods.
“What we’ve seen over the past two or three years is an upleveling” by China, said George Kurtz, the chief executive of the cybersecurity firm CrowdStrike. “They operate more like a professional intelligence service than the smash-and-grab operators we saw in the past.”
China has long been one of the biggest digital threats to the United States. In a 2009 classified National Intelligence Estimate, a document that represents the consensus of all 16 U.S. intelligence agencies, China and Russia topped the list of America’s online adversaries. But China was deemed the more immediate threat because of the volume of its industrial trade theft.
But that threat is even more troubling now because of China’s revamping of its hacking operations. Furthermore, the Biden administration has turned cyberattacks — including ransomware attacks — into a major diplomatic front with superpowers like Russia, and U.S. relations with China have steadily deteriorated over issues including trade and tech supremacy.
China’s prominence in hacking first came to the fore in 2010 with attacks on Google and RSA, the security company, and again in 2013 with a hack of The New York Times.
Those breaches and thousands of others prompted the Obama administration to finger China’s People’s Liberation Army hackers in a series of indictments for industrial trade theft in 2014. A single Shanghai-based unit of the People’s Liberation Army, known as Unit 61398, was responsible for hundreds — some estimated thousands — of breaches of American companies, The Times reported.
In 2015, Obama officials threatened to greet President Xi Jinping of China with an announcement of sanctions on his first visit to the White House, after a particularly aggressive breach of the U.S. Office of Personnel Management. In that attack, Chinese hackers made off with sensitive personal information, including more than 20 million fingerprints, for Americans who had been granted a security clearance.
White House officials soon struck a deal that China would cease its hacking of American companies and interests for its industrial benefit. For 18 months during the Obama administration, security researchers and intelligence officials observed a notable drop in Chinese hacking.
After President Donald J. Trump took office and accelerated trade conflicts and other tensions with China, the hacking resumed. By 2018, U.S. intelligence officials had noted a shift: People’s Liberation Army hackers had stood down and been replaced by operatives working at the behest of the Ministry of State Security, which handles China’s intelligence, security and secret police.
Hacks of intellectual property, that benefited China’s economic plans, originated not from the P.L.A. but from a looser network of front companies and contractors, including engineers who worked for some of the country’s leading technology companies, according to intelligence officials and researchers.
It was unclear how exactly China worked with these loosely affiliated hackers. Some cybersecurity experts speculated that the engineers were paid cash to moonlight for the state, while others said those in the network had no choice but to do whatever the state asked. In 2013, a classified U.S. National Security Agency memo said, “The exact affiliation with Chinese government entities is not known, but their activities indicate a probable intelligence requirement feed from China’s Ministry of State Security.”
On Monday, the White House provided more clarity. In its detailed indictment, the United States accused China’s Ministry of State Security of being behind an aggressive assault on Microsoft’s Exchange email systems this year.
The Justice Department separately indicted four Chinese nationals for coordinating the hacking of trade secrets from companies in aviation, defense, biopharmaceuticals and other industries.
According to the indictments, Chinese nationals operated from front companies, like Hainan Xiandun, that the Ministry of State Security set up to give Chinese intelligence agencies plausible deniability. The indictment included a photo of one defendant, Ding Xiaoyang, a Hainan Xiandun employee, receiving a 2018 award from the Ministry of State Security for his work overseeing the front company’s hacks.
The United States also accused Chinese universities of playing a critical role, recruiting students to the front companies and running their key business operations, like payroll.
The indictment also pointed to Chinese “government-affiliated” hackers for conducting ransomware attacks that extort companies for millions of dollars. Scrutiny of ransomware attackers had previously largely fallen on Russia, Eastern Europe and North Korea.
Secretary of State Antony J. Blinken said in a statement on Monday that China’s Ministry of State Security “has fostered an ecosystem of criminal contract hackers who carry out both state-sponsored activities and cybercrime for their own financial gain.”
China has also clamped down on research about vulnerabilities in widely held software and hardware, which could potentially benefit the state’s surveillance, counterintelligence and cyberespionage campaigns. Last week, it announced a new policy requiring Chinese security researchers to notify the state within two days when they found security holes, such as the “zero-days” that the country relied on in the breach of Microsoft Exchange systems.
The policy is the culmination of Beijing’s five-year campaign to hoard its own zero-days. In 2016, the authorities abruptly shuttered China’s best-known private platform for reporting zero-days and arrested its founder. Two years later, Chinese police announced that they would start enforcing laws banning the “unauthorized disclosure” of vulnerabilities. That same year, Chinese hackers, who were a regular presence at big Western hacking conventions, stopped showing up, on state orders.
“If they continue to maintain this level of access, with the control that they have, their intelligence community is going to benefit,” Mr. Kurtz said of China. “It’s an arms race in cyber.”