China's cyber capabilities are powerful, strategic and not to be underestimated. As the competition between the United States (U.S.) and China intensifies, cyberattacks and operations have emerged as significant tools for China to acquire sensitive information and influence key American industries. Consequently, cybercrimes – including online gambling, hacking, targeted disruption campaigns and strategic cyber espionage – have become increasingly prevalent. 

Highlighting China’s most operative means of malicious cyber activity, reports indicate that Beijing has conducted more cyber espionage campaigns than any other country in the world, surprisingly beating Russia by 30 percent.1 For example, between 2000 and 2020, China conducted 90 cyber espionage campaigns with specifically 32 of those operations targeting “private entities across 10 different commercial sectors.”2 In every one of these operations, the main objective presented itself as stealing data and compromising U.S.’ private entities. Harvard’s Dyadic Cyber Incident and Campaign Dataset (DCID) further proves this point as it reported the information technology, healthcare and public health, and energy sectors are being the most frequently targeted.3 This became evident on a large scale when APT1, a Chinese military-sponsored threat actor group, targeted various private-sector industries to steal intellectual property, fomenting a landmark Mandiant report detailing the threat actor’s targets and behaviors.4 

This brings up two important questions explored throughout this article: Why is China a known hub for cybercrime and sophisticated espionage operations and why is it favorable for individuals to operate their nefarious cyber activities from China? 

Adam Marrè, cybersecurity firm Arctic Wolf’s chief information security officer, gives his perspective on the topic. He claims that Beijing sees “cyber as a natural extension of their statecraft and have seldom been afraid to utilize cyber techniques to further their own national interests.”5 In other words, he claims that political motivations are largely what drives Chinese cyber actors to conduct their operations. Moreover, U.S. industries such as defense, communications, technology and more have been often targeted by Chinese actors and – perhaps strategically – in tandem with the Chinese Communist Party’s ‘Made in China 2025’ scheme which aims to upgrade the Chinese industry.6;7 In light of this, it is profoundly likely that these Chinese cyber actors, whose main objective of stealing data and compromising American business sectors over the years, work for “communist technocrats in modern China.”8 Stated simply, much of China’s hacking espionage cases are likely state-sponsored operations and given that 65,000 cases of cybercrime were reported in 2021 alone, the volume of state-sponsored operations could be a remarkably high number.9 

How does this work? If Chinese hackers and cybercriminals are hired by the government to do its bidding, it not only provides the government plausible deniability, but also yields financial incentives for cyber actors. In 2015, however, the U.S. and China attempted to make diplomatic improvements by pledging that neither government would "conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information for commercial advantage."10 Despite efforts, the effectiveness of this agreement remains a topic of debate.11 With the lack of effective cybersecurity regulations, law enforcement and extradition treaties, bad cyber actors are often not caught. Unsurprisingly, the U.S. and China do not have an extradition treaty. Therefore, individuals who are located in China, whom the U.S. seeks to arrest, can not be extradited.12 

For example, in August, the U.S. charged – but could not arrest, due to the lack of an extradition treaty – seven hackers associated with the Chinese government who initiated computer intrusions targeting “journalists, political officials, and companies to repress critics of the Chinese regime, compromise government institutions, and steal trade secrets.”13 These seven hackers are reportedly part of the APT31 hacking group which aids China’s Ministry of State Security’s transnational repression, economic espionage and foreign intelligence objectives.14 The group successfully sent “over 10,000 malicious emails, impacting thousands of victims, across multiple continents.”15 Both the United Kingdom (UK) and New Zealand governments have  raised concerns about APT31 activity within their borders and electoral systems.16 This signifies a broader Chinese strategy, not only targeting U.S. industries, but targeting fundamental systems within the Five Eyes – an intelligence alliance including Australia, Canada, New Zealand, the UK and the U.S. – framework. 

Because China often utilizes plausible deniability to sponsor cyber actors to target Western entities, it has found it challenging to effectively enforce cyber laws against domestic cybercrime. China maintains one of the largest populations across the globe with a recorded number of 1.41 billion people and much of it, approximately 76 percent, is connected to the internet. This provides a number of opportunities for bad actors to exploit networks.17;18 In other words, China’s mass population may allow an extra layer of anonymity for bad cyber actors. 

In 2017, however, China enacted a Cyber Security Law (CSL), which aims at “creating a separate and heavily controlled sovereign Chinese cyberspace.”19 CSL is specifically targeted at businesses as the Chinese government had concerns over firms holding “a vast amount of the nation's data resources.” Controlling this data has proven to  be a main objective of this law.20 However, enforcement has proven tricky with the “low level of cybersecurity maturity and rampant online fraud.”21 

Despite the legal attempts to reign in cybercrime on the domestic level, China maintains one of the world’s leading nations in cybercrime with powerful capabilities at that. In fact, the world’s largest botnet was designed by a Chinese national, YunHe Wang.22 For clarification, a botnet is a “network of computers infected by malware that are under the  control of a single attacking party.”23 This particular botnet was “used to conduct cyberattacks, fraud, child exploitation, bomb threats and export violations.”24 It was “administered through around 150 servers worldwide, infecting 19 million IP addresses  in over 200 countries.”25 Nevertheless, Wang was arrested in 2024 in Singapore as a result of a multinational operation between the U.S., Singapore, Thailand and Germany.26 Note here that he was not arrested in China. The U.S. has an extradition treaty with Singapore, which allowed the U.S. to make the arrest. This example highlights just how much damage can be done under the control of a single skilled cyber actor. 

There are a number of malicious cyber groups originating from China to be mindful of and, in turn, to learn from. In addition to the recent APT31 threat, APT groups dubbed Volt Typhoon and Elderwood should be noted. 

Volt Typhoon

Active since 2021, Volt Typhoon is a Chinese-linked threat actor which has become a threat for not only the U.S., but also throughout the region of Asia.27 The group's main target has been critical infrastructure organizations in these regions and Microsoft Threat Intelligence believes the main goal is to “disrupt critical communications infrastructure between the [U.S.] and Asia region during future crises.”28 In fact, Volt Typhoon reportedly maintained access within U.S. critical infrastructure for as long as five years, firmly placing itself in a strategic position for future attacks.29 

While it is remarkably alarming that a Chinese APT group was able to lay dormant for as long as five years without being flagged by U.S. entities, this is predominantly because of the technique the group utilizes. Volt Typhoon has mastered living-off-the-land techniques and hands-on-keyboard activity. For clarification, living-off-the-land (LofL) techniques are when the malicious actor uses any machine readable code or binary that is already provided by the operating system to conduct its activity while simultaneously blending in with the pre-existing network activity.30 Hands-on-keyboard activity simply means that a cyber actor is manually operating within an organization's network.31 Reported by Microsoft Threat Intelligence, “they issue commands via the command line to (1) collect data, including credentials from local and network systems, (2) put the data  into an archive file to stage it for exfiltration, and then (3) use the stolen valid credentials to maintain persistence.”32 Consequently, it is necessary to pay attention to this actor. 

Due to the nature of Volt Typhoon’s operations, Cybersecurity and Infrastructure Security Agency was proactive and published actions which businesses can use to mitigate this group's activity:

1. “Apply patches for internet-facing systems. Prioritize patching critical vulnerabilities in appliances known to be frequently exploited by Volt Typhoon. 

2. Implement phishing-resistant MFA. 

3. Ensure logging is turned on for application, access, and security logs and store logs in a central system. 

4. Plan “end of life” for technology beyond manufacturer’s supported lifecycle.”33 

For more information you can visit: 

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a

The following threat actor group, Elderwood, highlights a more in-depth example of the damage Chinese threat actors can inflict when operations are carefully thought out and executed. 

Elderwood 

The Chinese-linked threat actor known as Elderwood is a slightly different example than  Volt Typhoon. The group has targeted various industries, including defense, supply chain manufacturers, NGOs and IT service providers.34 Their tactics include phishing emails, zero-day exploits, attacks on third-party manufacturers and compromising websites likely used by their target.35 

Furthermore, this actor is responsible for the 2009 Google intrusion named Operation Aurora, which likely motivated Google to shift to a zero-trust model for their cybersecurity strategy.36 Operation Aurora was a breach that occurred due to hackers searching for source code from Google, Adobe and other high-profile companies.37 In fact, Elderwood targeted “at least 34 companies in the technology, financial and defense  sectors.”38  According to Google, this threat actor “stole the company’s intellectual property and sought access to Gmail accounts of Chinese human rights activists.”39 

This is somewhat similar to APT31 targeting critics of the Chinese regime, however, Operation Aurora was dubbed one of the most “highly-sophisticated attacks outside of the defense industry, combining tactics like encryption, stealth programming, malware and the exploitation of a vulnerability in Internet Explorer.40 This is because its “encryption was highly successful in obfuscating the attack and avoiding common detection methods.”41 There was another layer here, too. The attacks were tactfully timed  “during the holiday season, when companies and defense teams were lightly staffed.”42 

Take note, Elderwood attacked during the holiday season when the company arguably was at its most vulnerable. Be sure to have systems in place to ensure your business is safeguarded all 365 days of the year. 

Next, the series focuses on the rapidly growing cybercrime hub of Iran. 

Notes 

1 Jensen, Benjamin, “How the Chinese Communist Party uses cyber espionage to undermine the American economy,” Center for Strategic & International Studies, October 19, 2023. https://www.csis.org/analysis/how-chinese-communist-party-uses-cyber-espionage-undermine-american-economy 

2 Ibid. 

3 Valeriano, Brandon, “Dyadic Cyber Incident Dataset v 2.0,” Harvard Dataverse, September 19, 2022. https://dataverse.harvard.edu/dataset.xhtml?persistentId=doi%3A10.7910%2FDVN%2FCQOMYV

4 Mcwhorter, Dan, “Mandiant Exposes APT1 – One of China’s Cyber Espionage Units – and Releases 3,000 Indicators,” Google Cloud, February 19, 2013. https://cloud.google.com/blog/topics/threat-intelligence/mandiant-exposes-apt1-chinas-cyber-espionage-units. 

5 Davidson, Helen, “Cyber-attacks linked to Chinese spy agencies are increasing, say analysts,” The Guardian, March 26, 2024.  https://www.theguardian.com/technology/2024/mar/26/china-cyber-attacks-are-increasing-western-analysts-warn 

6 Jensen, Benjamin, “How the Chinese Communist Party uses cyber espionage to undermine the American economy,” Center for Strategic & International Studies, October 19, 2023. https://www.csis.org/analysis/how-chinese-communist-party-uses-cyber-espionage-undermine-american-economy 

7 Kennedy, Scott, “Made in China 2025,” Center for Strategic & International Studies, June 1, 2015. https://www.csis.org/analysis/made-china-2025 

8 Jensen, Benjamin, “How the Chinese Communist Party uses cyber espionage to undermine the American economy,” Center for Strategic & International Studies, October 19, 2023. https://www.csis.org/analysis/how-chinese-communist-party-uses-cyber-espionage-undermine-american-economy 

9 Kass, Howard, “Cybercrime top 10 rankings: China is no. 1 while U.S. records highest rate of security breaches,” MSSP Alert, December 23, 2022. https://www.msspalert.com/news/cybercrime-top-10-rankings-china-is-no-1-while-u-s-records-highest-rate-of-security-breaches 

10 Segal, Adam, “The U.S.-China Cyber Espionage Deal One Year Later,” Council on Foreign Relations, September 28, 2016. https://www.cfr.org/blog/us-china-cyber-espionage-deal-one-year-later. 

11 Ibid. 

12 “Countries without Extradition 2024,” World Population Review, 2024.  https://worldpopulationreview.com/country-rankings/countries-without-extradition 

13 “Seven hackers associated with Chinese government charged with computer intrusions targeting perceived critics of China and U.S. businesses and politicians,” U.S. Department of Justice: Office of Public Affairs, March 24, 2024. https://www.justice.gov/opa/pr/seven-hackers-associated-chinese-government-charged-computer-intrusions-targeting-perceived 

14 Ibid. 

15 Ibid.

16 Davidson, Helen, “Cyber-attacks linked to Chinese spy agencies are increasing, say analysts,” The Guardian, March 26, 2024. https://www.theguardian.com/technology/2024/mar/26/china-cyber-attacks-are-increasing-western-analysts-warn 

17 “Population, total - China,” World Bank Group: Data, n.d.. https://data.worldbank.org/indicator/SP.POP.TOTL?end=2023&locations=CN&start=1960 

18 “Individuals using the internet (% of population) - China,” World Bank Group: Data, n.d.. https://data.worldbank.org/indicator/IT.NET.USER.ZS?locations=CN 

19 Fitzsimmons, Jim, “China’s cyber security law: How prepared are you?” Control Risks, November 7, 2018. https://www.controlrisks.com/our-thinking/insights/chinas-cyber-security-law 

20 Ibid. 

21 Ibid. 

22 Nguyen, Thao, “Chinese national charged with operating “world’s largest botnet” linked to billions in Cybercrimes,” USA Today, May 28, 2024. https://www.usatoday.com/story/news/nation/2024/05/29/botnet-chinese-national-arrest-justice-department/73899904007/ 

23 “What is a botnet?” Palo Alto Networks, n.d.. https://www.paloaltonetworks.com/cyberpedia/what-is-botnet 

24 Nguyen, Thao, “Chinese national charged with operating “world’s largest botnet” linked to billions in Cybercrimes,” USA Today, May 28, 2024. https://www.usatoday.com/story/news/nation/2024/05/29/botnet-chinese-national-arrest-justice-department/73899904007/ 

25 Ibid.

26 Ibid. 

27 “Volt typhoon targets US critical infrastructure with living-off-the-land techniques,” Microsoft Threat Intelligence: Microsoft Security, May 24, 2023. https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ 

28 Ibid.

29 “PRC state-sponsored actors compromise and maintain persistent access to U.S. critical infrastructure,” Cybersecurity and Infrastructure Security Agency, February 7, 2024. https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a

30 Elsad, Amer,“Living-off-the-land attacks,” Armor Defense Inc., November 11, 2021. https://res.armor.com/resources/threat-intelligence/living-off-the-land-attacks/ 

31 Foss, Greg, “All hands-on keyboard: Interactive intrusions campaigns,” The Fast Mode, April 27, 2023. https://www.thefastmode.com/expert-opinion/31746-all-hands-on-keyboard-interactive-intrusions-campaigns 

32 “Volt typhoon targets US critical infrastructure with living-off-the-land techniques,” Microsoft Threat Intelligence: Microsoft Security, May 24, 2023. https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ 

33 “PRC state-sponsored actors compromise and maintain persistent access to U.S. critical infrastructure,” Cybersecurity and Infrastructure Security Agency, February 7, 2024. https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a 

34 O’Gorman, Gavin, and Geoff McDonald, Publication, The Elderwood Project, Symantec Security Response, n.d., 1. https://users.umiacs.umd.edu/~tdumitra/courses/ENEE759D/Fall13/papers/the-elderwood-project.pdf. 

35 Ibid.,1.

36 Zetter, Kim, “Google Hack attack was Ultra Sophisticated, new details show,” Wired, January 14, 2010. https://www.wired.com/2010/01/operation-aurora/ 

37 Ibid.

38 Ibid. 

39 Cohen, Gary, “Throwback attack: Operation Aurora signals a new era in industrial threat,” Industrial Cybersecurity Pulse, December 22, 2022. https://www.industrialcybersecuritypulse.com/threats-vulnerabilities/throwback-attack-operation-aurora-signals-a-new-era-in-industrial-threat/ 

40 Zetter, Kim, “Google Hack attack was Ultra Sophisticated, new details show,” Wired, January 14, 2010. https://www.wired.com/2010/01/operation-aurora/ 

41 Ibid.

42 Cohen, Gary, “Throwback attack: Operation Aurora signals a new era in industrial threat,” Industrial Cybersecurity Pulse, December 22, 2022. https://www.industrialcybersecuritypulse.com/threats-vulnerabilities/throwback-attack-operation-aurora-signals-a-new-era-in-industrial-threat/