Experts say China’s low-level cyberwar is becoming severe threat

Activity more overt and reckless despite US, British and other political efforts to bring it to a halt

Chinese state-sponsored hacking is at record levels, western experts say, accusing Beijing of engaging in a form of low-level warfare that is escalating despite US, British and other political efforts to bring it to a halt.

There are accusations too that the clandestine activity, which has a focus on stealing intellectual property, has become more overt and more reckless, although Beijing consistently denies sponsoring hacking and accuses critics of hypocrisy.

Jamie Collier, a consultant with Mandiant, a cybersecurity firm whose work is often cited by intelligence agencies, said the level of hacking emerging from China in 2021 was “a more kind of severe threat than we previously anticipated”.

That culminated, in July, with the US, the EU, Nato, the UK and four other countries all accusing Beijing of being behind a massive exploitation of vulnerabilities in Microsoft’s widely used Exchange company server software in March. In some cases they blamed China’s Ministry of State Security (MSS) for directing the activity.

It affected about 250,000 organisations worldwide, allowing hackers from a group, which Microsoft has named Hafnium, to siphon off company emails for espionage, with the help of an easy to use “web shell” tool allowing anybody with the right password to hack into a compromised Exchange server.

Once Microsoft was publicly alerted to the activity, attacks were rapidly stepped up on organisations that had not patched Exchange. Criminals, now aware of what was happening, were able to exploit the web shells, and in some cases they were booby-trapped if deleted – a brazen aspect of the hacking that surprised experts.

Ciaran Martin, the chief executive of the UK’s National Cyber Security Centre until last year, said: “What you saw here was real recklessness. The Hafnium attack on Exchange was in complete contrast to the Russian exploitation of SolarWinds software for espionage purposes.

“In that case there was no collateral damage – but as for Hafnium when they realised they had been caught, the hackers booby-trapped the software on the way out.”

China, however, consistently denies being involved in hacking despite the attempts by the US and others to embarrass it. In July, China’s foreign ministry accused Washington of “ganging up with its allies” and engaging in “smear and suppression out of political motives”.

It said the US was “the largest source of cyber-attacks in the world”, underlying the lack of agreement on the topic and touching on a genuine source of frustration in Beijing – that the US and other western allies have long engaged in traditional political espionage against countries like it.

Yet it was not meant to be like this: in September 2015, Presidents Barack Obama and Xi Jinping jointly announced a cybersecurity agreement.

“Both government will not be engaged in or knowingly support online theft of intellectual properties,” Xi said during a visit to the White House following similar language from Obama. An almost identical agreement was signed between the UK and China one month later.

At first the agreement had a deterrent effect, at least on the Chinese side, with reports of hacking emanating from the country sharply reduced from what experts describe as “loud, noisy” attempts to steal intellectual property previously.

But the situation changed after the 2016 election of Donald Trump, who adopted a more overtly combative tone towards Beijing. China, meanwhile, reorganised its hacking activities, taking away global operations from the People’s Liberation Army and switching them to the MSS.

In the west, the penny slowly dropped as security agencies began to understand the impact of Operation Cloud Hopper, the name given to a sophisticated espionage campaign conducted against third-party IT services providers, with the aim of infiltrating them to steal secrets from a wide range of corporates such as the Swedish telecoms equipment maker Ericsson.

The campaign may have run throughout the 2010s but by 2017 had become increasingly visible to western intelligence, revealing, as Martin observed, that “it was clear with the deterioration of Sino-American relations China no longer felt bound by the agreement with Obama”.

A year later, in December 2018, the US and the UK named a Chinese group known as APT10 or Stone Panda as behind the Cloud Hopper hacking. It was the first time the British had accused the Chinese government as being responsible for a cyber campaign, saying that the MSS was directing, or operating behind the hackers.

“In the past, Chinese groups were very sensitive to indictment, to the name and shame of public attribution,” said Collier. “Effectively when governments called them out, you’d see relatively quickly after those things happened, the activity would drop off. But what we are seeing is that is no longer the case any more.”

Industrial espionage efforts from Chinese actors often closely follow goals announced in Beijing’s five-year plans, Collier added, although British and other intelligence agencies said there was a notable and unsurprising shift in focus to targeting vaccine development secrets at the early stage of the pandemic.

Another common tactic is to pose as recruiters on LinkedIn. A typical profile is a female trying to lure civil servants and executives in key industries into revealing more about their work in exchange for what turns out to be a bogus job offer.

The British domestic spy agency MI5 estimated that 10,000 people had been targeted over the past five years, in April describing the activity as taking place on an “industrial scale”. Spy chiefs did not directly accuse Beijing, but the view among the Five Eyes intelligence agencies is that this technique is dominated by Chinese actors.

The rhetoric continues to step up. Gen Patrick Sanders, Britain’s most senior cyber general, the head of strategic command, last week accused China and Russia of engaging in “the expansion of warfare into the novel domains of space and cyber” in a speech to a UK defence industry conference.

It was, the general argued, part of a wider ideological struggle that amounts to “an approach that seeks to win without fighting”, a long way, in effect, from the rhetoric of internet cooperation espoused six years ago.


Dan Sabbagh Defence and security editor

The GuardianTramp

Related Content

Article image
The Guardian view on cyberwar: an urgent problem | Editorial
Editorial: The internet is now used as a low-level weapon of war. How should Britain best defend itself?


22, Jan, 2018 @5:42 PM

Article image
Is China stepping up its ambition to supplant US as top superpower?
Analysis: Joe Biden has cleared the decks to focus on China. But how imminent is the danger?

Patrick Wintour Diplomatic editor

22, Sep, 2021 @9:00 PM

Article image
China planted chips in Apple and Amazon servers, report claims
Both firms deny report they found chips giving backdoor access to computers and data

Samuel Gibbs

05, Oct, 2018 @3:41 AM

Article image
Hostile states pose 'fundamental threat' to Europe, says MI6 chief
Although Alex Younger does not name specific country, he makes clear that Russia is target of his remarks

Ewen MacAskill Defence and intelligence correspondent

08, Dec, 2016 @1:31 PM

Article image
David Cameron challenges China to be more open about cyber-security

Prime minister seeks talks on 'issue of mutual concern' amid western fears that Beijing is behind most aggressive online attacks

Nicholas Watt in Shanghai

04, Dec, 2013 @12:01 AM

Article image
UK and allies accuse Chinese state-backed group of Microsoft hack
British foreign secretary says Beijing will be held to account if it does not stop ‘systematic cyber sabotage’

Dan Sabbagh, Jennifer Rankin and Peter Walker

19, Jul, 2021 @2:21 PM

Article image
At least 13 phone firms hit by suspected Chinese hackers since 2019, say experts
LightBasin hackers were able to obtain subscriber information and call metadata, says CrowdStrike

Dan Sabbagh Defence and security editor

19, Oct, 2021 @2:42 PM

Article image
US and UK blame Russia for 'malicious' cyber-offensive
Security officials issue alert directly blaming Kremlin for attack as US warns Moscow it is ‘pushing back hard’

Ewen MacAskill Defence correspondent

16, Apr, 2018 @6:23 PM

Article image
Malicious forces creating 'perfect storm' of coronavirus disinformation
Russia and China among state and other actors spreading fake news and disruption, say experts

Peter Beaumont, Julian Borger and Daniel Boffey

24, Apr, 2020 @12:30 PM

Article image
EU to run war games to prepare for Russian and Chinese cyber-attacks
Ministers to be put in fictional scenarios after series of hacking incidents

Daniel Boffey in Helsinki

27, Jun, 2019 @12:48 PM