China’s Hackers Are Expanding Their Strategic Objectives
Published by The Lawfare Institute
in Cooperation With
On Nov. 15, President Joe Biden and Chinese President Xi Jinping met in California on the sidelines of the Asia-Pacific Economic Cooperation summit in an effort to stabilize ties between the U.S. and China and to discuss issues ranging from fentanyl to artificial intelligence safety. The meeting took place against the backdrop of a shifting landscape in cyberspace, in which U.S. officials see China expanding its strategy and focusing on critical infrastructure. This threat was not addressed in the readouts or press accounts of the meeting. Nevertheless, while the leaders did not appear to discuss cybersecurity or the possibility of setting norms in the digital domain, the question of how the two powers will interact in the cyberspace looms large.
In October, Cybersecurity and Infrastructure Security Agency (CISA) Executive Director Brandon Wales described China as “the number one geostrategic challenge for the United States, both broadly and then absolutely within the cyber realm.” This may come as a surprise to some readers given the pressing national security concerns in Ukraine and the Middle East, each with their own set of hacking operations by Russia and Iran to deter. But while these digital threats may be most urgent, recent analyses by U.S. government officials suggest that China may be the most important cyber threat at the moment.
In its October report to Congress reviewing China’s military and security activity over the course of 2022, the Department of Defense warned that hackers in China—who have targeted U.S. government systems, including within the department—are stealing “sensitive information from the critical defense infrastructure and research institutes.” The report identified three possible motives, describing the attacks as designed for “economic and military advantage and possibly for cyberattack preparations.” In the event of a conflict, China-based hackers have developed tools to attack U.S. critical infrastructure, including the “disruption of a natural gas pipeline for days to weeks,” the department assessed.
The report underscores recent warnings by U.S. officials about the nature of China’s threat to the United States. China appears to be expanding its ambitions in cyberspace, and developing the workforce to achieve them. “The scale of the Chinese cyber threat is unparalleled—they’ve got a bigger hacking program than every other major nation combined,” FBI Director Christopher Wray said in April, speaking before a House Appropriations subcommittee. “If each one of the FBI’s cyber agents and intel analysts focused exclusively on the China threat, Chinese hackers would still outnumber FBI Cyber personnel by at least 50 to 1,” he said. While, in past decades, China’s hackers have been infamous for massive economic espionage and intelligence gathering operations, U.S. experts have increasingly noticed China’s hackers targeting critical infrastructure to maintain disruptive capabilities.
China’s New Ambitions: Critical Infrastructure
In his recent comments, delivered at an October Washington Post event, Wales cited a recent example of China’s current focus in cyberspace: “a series of intrusions that China has executed directly targeting U.S. critical infrastructure, compromising that infrastructure to preposition for future disruptive or destructive operations.” Wales described these hacks as evidence of a trend in which China is expanding its focus from hacking for espionage to targeting entities with the intention of developing damaging cyber capabilities that can be deployed against those targets in a conflict. He added that, in recent years, the United States has uncovered examples of China-linked hackers compromising critical infrastructure as early as 2012, but it wasn’t until more recently that the intelligence community developed an understanding of China’s underlying strategy. “If you had asked me 10 years ago, the answer would have been China is primarily focused on economic and political espionage, looking to advance their economy, looking to steal secrets or plans for fighter jets, but that threat is absolutely evolving. I think it is far more serious today,” he said. “If we want to enjoy the freedom of action on the geopolitical stage and we want the ability to ensure that we can defend our friends and allies around the world, we cannot let hostile nations like China into our critical infrastructure and hold it at risk.”
A series of recent reports from the U.S. defense and intelligence community underscore Wales’s analysis. For example, the Defense Department’s October report to Congress assessed that China “seeks to create disruptive and destructive effects … to shape decision making and disrupt military operations beginning in the initial stages and throughout a conflict.” It added that China “believes these capabilities are even more effective against militarily superior adversaries that depend on information technologies.” Similarly, the 2023 Annual Threat Assessment, released in February by the Office of the Director of National Intelligence (ODNI), stated that, if the geopolitical landscape were to shift such that a U.S.-China conflict appeared near, Beijing would likely consider hacking U.S. military targets across the globe as well as U.S. critical infrastructure—and it would be well positioned to do so. “China almost certainly is capable of launching cyber attacks that could disrupt critical infrastructure services within the United States,” the report said.
This year, the United States has issued a series of warnings about China-based hacking incidents. In May, cyber agencies from each of the Five Eyes countries—the U.S., U.K., Australia, Canada, and New Zealand—issued a joint warning about a group of Chinese state-sponsored hackers, known as Volt Typhoon, that targeted “networks across U.S. critical infrastructure sectors.” Cyber agencies from the five countries warned that Volt Typhoon “could apply the same techniques against these and other sectors worldwide” and issued two dozen pages of technical detail about the group’s tactics. According to Microsoft, which initially detected the activity, Volt Typhoon had engaged in a multi-year campaign, beginning in mid-2021, aimed at hacking into critical infrastructure, including “communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.” This cyber operation—which is likely the activity to which Wales referred in his recent remarks—was aimed at the United States and Guam, a territory where the U.S. has strategic military bases.
In late September, the United States and Japan released an advisory about new activity by a China-linked hacking group known as BlackTech. According to the alert, the group targeted “government, industrial, technology, media, electronics, and telecommunication sectors, including entities that support the militaries of the U.S. and Japan.” The advisory—which was issued by the U.S. National Security Agency, Federal Bureau of Investigation, and CISA as well as the Japan National Police Agency and the Japan National Center of Incident Readiness and Strategy for Cybersecurity—did not identify the purpose of the attacks. It did, however, assess that the BlackTech hackers used sophisticated cyber tools to target routers to move “from international subsidiaries to headquarters in Japan and the U.S.—the primary targets.” BlackTech has operated since 2010, targeting public- and private-sector networks in the United States and East Asia and consistently modifying its cyber tools so that they are not flagged by security software, according to the alert. The United States and Japan urged network providers to take steps to “protect devices from the backdoors the BlackTech actors are leaving behind.”
The recent warnings of China’s hacking activity, particularly those issued in conjunction with Five Eyes countries and Japan, serve as a reminder that U.S. cybersecurity depends in part on the security of its partners’ key networks. An August Washington Post report alleged that China’s hackers penetrated classified Japanese military networks in 2020, creating alarm in Washington about the sensitive information that China could access on the networks of a U.S. intelligence partner. Notably, the United States’ resolve to work with allies to address hacking incidents is part of a broader trend in its approach to cybersecurity, which transcends the China threat. For example, in 2022 and 2023, CISA released eight alerts in conjunction with allies—frequently other members of the Five Eyes—to warn of new hacking activity by Russia, Iran, and China.
A “Traditional” Threat: Economic Espionage
Even as China has increasingly focused on targeting critical infrastructure, its hackers have simultaneously continued to pursue their traditional espionage goals. “China probably currently represents the broadest, most active, and persistent cyber espionage threat to U.S. Government and private-sector networks,” according to the ODNI.
The United States has identified a wide range of targets of China’s cyber espionage program. In its 2023 Cyber Strategy, the Defense Department wrote that China has “engaged in prolonged campaigns of espionage, theft, and compromise against key defense networks and broader U.S. critical infrastructure, especially the Defense Industrial Base.” It also described “intrusion and surveillance efforts against individuals living beyond its borders, including U.S. citizens, whom it considers enemies of the state.” The Defense Department report identified U.S. allies and partners as targets of China’s cyber espionage efforts as well. Furthermore, at a recent meeting with Five Eyes chiefs, Ken McCallum—who serves as the director general of the U.K.’s MI5—described “a sharp rise in aggressive attempts by other states to steal competitive advantage” across the five countries, but he did not specify China as the culprit. At the meeting, the FBI’s Christopher Wray reportedly shared that his agency currently has more than 2,000 open investigations related to Chinese espionage, which is conducted using both cyber and nondigital techniques.
This year, Commerce Secretary Gina Raimondo confirmed that, as she prepared for her trip to China in August, hackers broke into her email account. Other Commerce and State officials also had their email accounts infiltrated by Chinese hackers in the course of the incident, which has reportedly resulted in the theft of 60,000 emails from senior State Department officials. What’s more, last year, U.S. national security agencies released an advisory detailing a series of security flaws that China’s state-backed hackers have exploited since 2020. According to the alert, China’s hackers “continue to exploit known vulnerabilities to actively target U.S. and allied networks as well as software and hardware companies[.]” These hacks are an effort “to steal intellectual property and develop access into sensitive networks,” the advisory said.
The espionage efforts of China-based hackers extend beyond targeting the United States and its allies. For example, last month, the cybersecurity company Palo Alto Networks documented China-based intrusions into approximately two dozen “government organizations across a key range of industries” in Cambodia. “This activity is believed to be part of a long-term espionage campaign,” the company wrote in a report. It added that the hacking “aligns with geopolitical goals of the Chinese government as it seeks to leverage their strong relations with Cambodia to project their power and expand their naval operations in the region.”
Influence Operations: Artificial Intelligence and Disinformation
In addition to its recent hacking operations, China has also developed sophisticated capabilities for spreading disinformation on social media. In the past—including during the lead-up to the 2020 U.S. elections—social media companies documented rudimentary disinformation campaigns spreading Chinese propaganda. But China has recently developed new tools for digital information operations, according to a report published by Microsoft in September. The company described China’s use of artificial intelligence to create realistic images that could spread on social media: “In the past year, China has honed a new capability to automatically generate images it can use for influence operations meant to mimic U.S. voters across the political spectrum and create controversy along racial, economic, and ideological lines.” Separately, Microsoft added that China’s “state-affiliated multilingual social media influencer initiative” has reached 103 million accounts in 40 languages, while “China-aligned” accounts have both impersonated American voters and connected with real users about political matters.
Furthermore, the Defense Department’s October report warned of a different facet of China’s information efforts. The report described China’s focus on developing information operations that could be deployed for advantage in the event of a conflict. China is increasingly incorporating these operations into its military exercises, the department wrote. China views “cyberspace, electronic, space, and psychological warfare” as “integral to achieving information superiority early in a conflict as an effective means to counter a stronger foe.”
The Defense Department’s analysis highlights that, while the cyber threat posed by China has at least three distinctive strands—disinformation, espionage, and hacking critical infrastructure—these tactics are also strategically intertwined. For example, the department’s 2023 Cyber Strategy alluded to the multilevel strategic approach that China could take if it were to come into direct conflict with the United States. It predicts “destructive” cyberattacks with multiple goals: “hinder military mobilization, sow chaos, and divert attention and resources.”
Each element of China’s cyber threat requires its own strategy: To address the new disinformation threat posed by China, the U.S. can work with its tech companies to step up in the face of new tactics enabled by advanced technologies. Countering economic espionage means an evolving combination of positive and negative incentives, continuing the effort first attempted by the Obama administration. Protecting U.S. military and critical infrastructure from attacks intended to lay the groundwork for follow-on operations in the event of a U.S.-China conflict is a vital challenge for protecting U.S. interests, even if the prospect of a direct conflict does not appear imminent. Securing this infrastructure, which is in both private and public hands, calls for continued investment in defense.
Cyberspace can be viewed as the latest front in renewed great power competition such that the U.S. should bring together all digital and nondigital tools to deter China’s hackers. The 2023 Cyber Strategy described China as “the pacing challenge” for U.S. cybersecurity. While the cyber threat posed by China may not be as urgent as other geopolitical crises, it is vital for the U.S. to prioritize the long-term strategic challenges that will become only more pronounced over time as the two powers compete in the digital domain.