Xi Jinping’s efforts to point the way forward on China becoming a “major cyber-power” have met growing resistance from foreign governments. On Monday, the U.S. and U.K. announced sanctions and filed criminal charges against a company and individuals accused of working on behalf of the Chinese government to conduct cyber attacks against U.S. and European lawmakers, academics, activists, journalists, and private companies, among other targets. Jonathan Greig at The Record provided an overview of the measures taken against these Chinese actors:
The U.S. sanctioned a Wuhan-based company believed to be a front for China’s Ministry of State Security on Monday following dozens of attacks on critical infrastructure.
The Justice and Treasury Departments accused Wuhan Xiaoruizhi Science and Technology Company of being a cover for APT31 — a notorious China-based hacking group known for previously targeting “a wide range of high-ranking U.S. government officials and their advisors” including staff at the White House, members of Congress from both parties and several U.S. departments.
[…] The sanctions include two Chinese nationals — Zhao Guangzong and Ni Gaobin, both 38 — who are accused of working for the company and launching attacks against U.S. critical infrastructure.
Alongside the sanctions, the Justice Department unsealed indictments of Zhao, Ni and five others for their work within APT31.
[…] The State Department added the seven to the Rewards for Justice program, offering [up to $10 million USD] for any information on their whereabouts. They are all believed to be in China.
The investigation into the company was led by the Justice Department, FBI and the government of the United Kingdom. On Monday, Britain also announced sanctions against the company, Zhao and Ni, for targeting British parliamentarians. [Source]
Based on the U.S. Department of Justice (DOJ) press release, the Chinese actors used sophisticated hacking techniques, including zero-day exploits. The DOJ stated that the accused posed as prominent news outlets or journalists and sent over 10,000 malicious emails that “contained hidden tracking links, such that if the recipient simply opened the email, information about the recipient, including the recipient’s location, internet protocol (IP) addresses, network schematics, and specific devices used to access the pertinent email accounts, was transmitted to a server controlled by the defendants and those working with them.”
The DOJ emphasized that among the targets were dissidents around the world and those perceived to be supporting them, including Hong Kong pro-democracy activists and their associates. Dan Goodin at Ars Technica compiled a list of targets that were successfully hacked by APT31, based on the DOJ indictment:
• a cleared defense contractor based in Oklahoma that designed and manufactured military flight simulators for the US military
• a cleared aerospace and defense contractor based in Tennessee
• an Alabama-based research corporation in the aerospace and defense industries
• a Maryland-based professional support services company that serviced the Department of Defense and other government agencies
• a leading American manufacturer of software and computer services based in California
• a leading global provider of wireless technology based in Illinois; a technology company based in New York
• a software company servicing the industrial controls industry based in California
• an IT consulting company based in California; an IT services and spatial processing company based in Colorado
• a multifactor authentication company; an American trade association
• multiple information technology training and support companies
• a leading provider of 5G network equipment in the United States
• an IT solutions and 5G integration service company based in Idaho
• a telecommunications company based in Illinois
• a voice technology company headquartered in California;
• a prominent trade organization with offices in New York and elsewhere
• a manufacturing association based in Washington, DC
• a steel company
• an apparel company based in New York
• an engineering company based in California
• an energy company based in Texas
• a finance company headquartered in New York
• A US multi-national management consulting company with offices in Washington, DC, and elsewhere
• a financial ratings company based in New York
• an advertising agency based in New York
• a consulting company based in Virginia;
• multiple global law firms based in New York and throughout the United States
• a law firm software provider
• a machine learning laboratory based in Virginia
• a university based in California
• multiple research hospitals and institutes located in New York and Massachusetts
• an international non-profit organization headquartered in Washington, DC. [Source]
The #APT31 indictment unsealed today highlights China's Ministry of State Security’s transnational repression against Hong Kong democracy activists https://t.co/vTlhAzpqhX #surveillance pic.twitter.com/FvvhmXTqD4
— Greg Walton ⚗️ (Bluesky: @jamyang.net) (@meta_lab) March 25, 2024
The DOJ indictment also stated that some of these Chinese actors set their sights on U.K. and European targets, including 43 U.K. parliamentary accounts and every European Union member of the Inter-Parliamentary Alliance on China (IPAC). Three British lawmakers told reporters that they have been “subjected to harassment, impersonation and attempted hacking from China for some time.” AJ Vicens and Derek B. Johnson from Cyberscoop reported that another major target of the Chinese actors was the U.K.’s Electoral Commission:
U.K. officials also accused Chinese hackers of targeting British politics on Monday. In a speech, Deputy Prime Minister Oliver Dowden accused Chinese-linked hackers of being behind a 2021 hack of the Electoral Commission that pilfered data on 40 million registered U.K. voters and a separate campaign that same year targeting email accounts belonging to three members of the British Parliament who are critical of China.
[…] The operation against the members was attributed to APT31, while the Electoral Commission hack was attributed more generally to Chinese-linked hackers.
[…] The Electoral Commission breach — which occurred in 2021, was initially detected in October 2022 and first disclosed in August 2023 — affected the agency’s file sharing and email systems, giving hackers access to a wealth of personal data on around 40 million registered voters in the U.K.
That information would have included the names and addresses of anyone in Great Britain who registered to vote between 2014 and 2022, Northern Ireland voters who registered to vote in 2018, and information sent to the commission through emails or the contact form on its website. [Source]
In response, the British government announced sanctions that will freeze assets of the Chinese actors and impose a travel ban on them. It will also summon the Chinese ambassador “to account for China’s conduct in these incidents.” But some observers criticized the belated timing of the British government’s actions. Luke de Pulford, IPAC’s executive director, said that with the Electoral Commission cyber attack taking place back in 2021, this “indicates that the government was a little bit reluctant to say that China had actually done this.”
& public warnings from #Tibetan and #Uyghur diaspora communities predated the first NISCC advisory by three years https://t.co/nEVaARbeg5 (2002) https://t.co/dHEONHpN2x
— Greg Walton ⚗️ (Bluesky: @jamyang.net) (@meta_lab) March 25, 2024
Meanwhile, as Lucy Craymer reported for Reuters, the New Zealand government revealed on Tuesday that it had rebuked China for its alleged role in cyber operations against the New Zealand parliament:
The government said earlier on Tuesday its communications security bureau (GCSB), which overseas cyber security and signals intelligence, had established links between a Chinese state-sponsored actor known as Advanced Persistent Threat 40 (APT40) and malicious cyber activity targeting New Zealand’s parliamentary services and parliamentary counsel office in 2021.
The GCSB said APT40 is affiliated with the Ministry of State Security.
It added APT40 had gained access to important information that enables the effective operation of New Zealand government but nothing of a sensitive or strategic nature had not been removed. Instead, the GCSB said it believed the group had removed information of a more technical nature that would have allowed more intrusive activity. [Source]
Matt Burgess from WIRED described reactions from experts who highlighted the significance of these Chinese espionage operations:
“These allegations pull back the curtain on China’s vast illegal hacking operation that targeted sensitive data from US elected and government officials, journalists and academics; valuable information from American companies; and political dissidents in America and abroad,” Breon Peace, a US attorney for the Eastern District of New York, said in a statement. “Their sinister scheme victimized thousands of people and entities across the world, and lasted for well over a decade.”
[…] “China is embarking on a huge global campaign of interference and espionage, and the UK and the like-minded nations are pretty sick of it,” says Tim Stevens, a global security lecturer and head of the cybersecurity research group at King’s College London. Stevens says the public shaming and sanctions are unlikely to significantly change China’s actions but may signal a warning to other countries about what is and isn’t deemed acceptable when it comes to international affairs.
[…] “It’s really remarkable that China would go after election oversight systems, particularly given the diplomacy that the PRC [People’s Republic of China] is trying to pull off with the EU,” Cary says. “It’s a very significant act for the PRC to go after these types of systems,” Cary says. “It’s something that democracies are really sensitive to.” [Source]
These latest revelations join a growing list of Chinese offensive cyber operations against U.S. and British targets. In September 2023, U.K. parliamentary aide and researcher Chris Cash was arrested over allegations of spying for the Chinese government. In January 2024, U.S. officials stated that they disrupted a Chinese state-backed effort to plant malware across U.S. infrastructure networks. In February 2020, the U.S. Department of Justice charged four members of the Chinese People’s Liberation Army (PLA) with the 2017 hacking of consumer credit reporting agency Equifax, a breach that exposed the personal information of over 145 million Americans.
Data leaks have shed light on related Chinese operations around the world. In February 2024, a major data leak from Chinese cybersecurity firm I-Soon revealed operations targeting actors in over 20 countries and led by hackers contracting for the Chinese government. In May 2023, a leaked document appeared to detail an operation by 40 Ministry of Public Security computer specialists from around the country to combat “overseas cyber forces” in the battle for public opinion. Following reports that Chinese actors hacked into several ministries and institutions of the Kenyan government, Chinese state media launched a narrative counterattack to restore its image.
The U.S. has struggled to find a balanced approach to combating transnational repression by Chinese state actors that avoids domestic overreach. Congress is currently debating a bill that would ban TikTok, an app owned by Chinese firm ByteDance, in part due to cyberespionage concerns, but critics claim that the bill is poorly designed and infringes on freedom of speech.
