Inside the World’s Biggest China-Sponsored Cyber Attacks

Global cyber warfare has escalated, with state-sponsored actors targeting governments, corporations, and individuals to gain strategic advantages. China stands out as a central player, orchestrating sophisticated, long-running cyber espionage campaigns through Advanced Persistent Threat (APT) groups. This article explores China’s major cyber operations, their methodologies, and their impact on global cybersecurity.

Context: China’s Cyber Warfare Strategy

China’s cyber strategy is driven by the Ministry of State Security (MSS) and the People’s Liberation Army (PLA), aiming for economic dominance and national security. Key goals include intellectual property (IP) theft, global surveillance, and repression of dissent. Prominent APT groups include:

• APT 31 (Zirconium, Violet Typhoon): MSS-run, targeting political and corporate entities.
• APT 40: Focuses on Belt and Road Initiative countries.
• APT 10 (Stone Panda): Known for supply chain attacks.
• APT 41 (Barium): Blends espionage with financial crime.
• Hafnium: Exploits software vulnerabilities.
• Salt Typhoon: Targets critical infrastructure globally.

These groups blur military, intelligence, and commercial objectives, supported by state entities and commercial firms like Sichuan Juxinhe Network Technology Co.

Timeline of Major China-Sponsored Cyber Attacks

2010 – Operation Aurora

• Target: Google, Adobe, and over 20 U.S. companies in tech, finance, and defense sectors.
• Method: Spear-phishing emails exploiting a zero-day vulnerability in Internet Explorer, deploying malware to access networks.
• Impact: Theft of intellectual property, including Google’s source code, and sensitive corporate data. Exposed vulnerabilities in major tech firms, prompting a shift in corporate cybersecurity strategies.
• Attribution: Linked to PLA-affiliated actors, likely Unit 61398, operating under Chinese military direction.
• Global Response: Google publicly disclosed the attack, leading to U.S.-China diplomatic discussions. The U.S. issued cybersecurity advisories, and companies enhanced defenses against spear-phishing.

2015 – U.S. OPM Breach

• Target: U.S. Office of Personnel Management (OPM).
• Method: Phishing attacks and exploitation of unpatched systems, enabling persistent access to OPM networks.
• Impact: Over 22 million federal employee records stolen, including security clearance forms (SF 86s, SF 85s) with sensitive PII (e.g., Social Security numbers, employment history). Enabled long-term targeting of U.S. government personnel.
• Attribution: Attributed to MSS-linked actors by U.S. intelligence.
• Global Response: The U.S. implemented stricter federal cybersecurity protocols, issued indictments against Chinese operatives, and increased monitoring of state-sponsored threats. Congressional investigations followed, highlighting national security risks.

2017 – Cloud Hopper Campaign

• Target: Global IT providers (e.g., HP, IBM) and their clients across 12+ countries in manufacturing, healthcare, and finance.
• Method: APT 10 compromised managed service providers to infiltrate client networks via supply chain attacks, using custom malware like PlugX.
• Impact: Widespread data theft, including trade secrets and business strategies, affecting global corporate competitiveness.
• Attribution: Linked to MSS by Five Eyes intelligence and cybersecurity firms.
• Global Response: Five Eyes issued joint advisories, and the U.S. Department of Justice indicted APT 10 members. Affected companies strengthened supply chain security, and international cooperation increased to counter similar attacks.

2021 – Microsoft Exchange Hack

• Target: Over 250,000 servers worldwide, including businesses, governments, and organizations in the U.S., UK, and EU.
• Method: Hafnium exploited zero-day vulnerabilities in Microsoft Exchange Server, deploying web shells for remote access and data exfiltration.
• Impact: Compromised tens of thousands of systems, enabling data theft, ransomware, and espionage. Affected small businesses to Fortune 500 firms.
• Attribution: Attributed to MSS-affiliated Hafnium by U.S., UK, and EU intelligence.
• Global Response: Microsoft issued emergency patches, and the U.S., UK, EU, and NATO imposed sanctions on Chinese entities. Cybersecurity advisories urged rapid patching, and international attribution statements condemned China’s actions.

2021 – New Zealand Parliamentary Attack

• Target: New Zealand parliamentary network, including the Parliamentary Counsel Office and Parliamentary Service.
• Method: APT 40 used phishing and exploited network vulnerabilities to gain access.
• Impact: Sensitive government data was accessed, posing risks to national security and parliamentary operations.
• Attribution: New Zealand publicly attributed the attack to APT 40, linked to Chinese state actors.
• Global Response: New Zealand issued security advisories and strengthened parliamentary cyber defenses. The attack prompted closer Five Eyes collaboration on China-related threats.

2021–2022 – UK Electoral Commission Breach

• Target: UK Electoral Commission voter database.
• Method: Phishing and persistent network access, likely via compromised credentials or unpatched systems.
• Impact: Personal details of approximately 40 million UK voters were compromised, raising concerns about electoral integrity and data privacy.
• Attribution: Linked to APT 31, operated by China’s MSS.
• Global Response: The UK issued sanctions against Chinese entities, released security advisories, and enhanced voter data protection measures. The incident fueled calls for stronger electoral cybersecurity.

2020–Ongoing – Salt Typhoon Campaign

• Target: Critical infrastructure and government systems in over 80 countries, including 200+ U.S. targets (telecom, energy, government).
• Method: Exploiting vulnerabilities in telecom infrastructure (e.g., routers, VPNs) for persistent surveillance and data collection.
• Impact: Enabled extensive global surveillance and potential disruption of critical systems, threatening national security across multiple nations.
• Attribution: Attributed to Chinese state-sponsored actors by U.S. and Five Eyes intelligence.
• Global Response: The U.S. issued alerts, and Five Eyes nations enhanced infrastructure protection. International advisories emphasized securing telecom networks, with ongoing efforts to disrupt the campaign.

2023–2024 – Volt Typhoon Attacks

• Target: U.S. and global critical infrastructure (e.g., telecom, energy, water) and military-related systems.
• Method: Exploitation of routers, VPNs, and firewalls for persistent access, using living-off-the-land techniques to avoid detection.
• Impact: Potential for disruption of critical infrastructure and military operations, raising concerns about China’s pre-positioning for future conflicts.
• Attribution: Linked to MSS-backed actors by U.S. and Five Eyes intelligence.
• Global Response: The U.S. issued urgent advisories, and Five Eyes nations increased monitoring of critical infrastructure. Joint operations aimed to remove Volt Typhoon from compromised networks, with calls for stronger public-private cybersecurity partnerships.

Techniques and Tools Used

• Supply Chain Compromise: Infiltrating trusted vendors (e.g., Cloud Hopper) to access client networks.
• Zero-Day Exploits: Targeting unpatched software vulnerabilities (e.g., Microsoft Exchange, Internet Explorer).
• Phishing & Spear-Phishing: Sophisticated emails with tracking links or malware (e.g., Operation Aurora).
• Malware Families: PlugX, ShadowPad, and custom tools for data exfiltration and persistence.
• Persistence Methods: Modifying routers, VPNs, and firewalls to maintain long-term access, often undetected for years.
• Social Engineering/Bribery: Direct approaches, like the $2 million bribe to an American Superconductor employee for proprietary code.

These techniques leverage deep technical expertise, particularly in telecommunications infrastructure, to evade detection.

Impact on Global Cybersecurity

• Economic Losses: IP theft (e.g., wind turbine code, Coca-Cola strategies) costs billions, undermining innovation.
• International Relations: Strained US-China ties, with sanctions and indictments escalating tensions.
• Defense Spending: Global rise in cybersecurity investments, with governments and corporations bolstering defenses.
• Data Breaches: PII theft (e.g., OPM breach) enables long-term targeting of individuals and institutions.

Countermeasures and Lessons Learned

• International Collaboration: Five Eyes and NATO enhance cyber threat intelligence sharing.
• Zero Trust Models: Adoption of strict access controls to mitigate insider and external threats.
• Threat Intelligence: Real-time sharing to detect and respond to APT activities.
• Sanctions and Indictments: U.S. and allies target PLA units (e.g., Unit 61398) and MSS operatives to raise costs of cyberattacks.
• Patching and Awareness: Rapid software updates and employee training to counter phishing and exploits.

Conclusion

China’s state-sponsored cyber campaigns, driven by groups like APT 31, APT 40, and Hafnium, have reshaped global cybersecurity. Their focus on IP theft, surveillance, and repression underscores the need for robust defenses, international cooperation, and public-private partnerships. By raising the costs of these attacks through sanctions, indictments, and advanced security models, the global community can build resilience against this evolving threat.