For many years, the U.S. government and many cybersecurity experts have considered China to be the greatest cybersecurity threat.

The Chinese Communist Party (CCP) uses an extensive network of hacker groups to collect intelligence and intellectual property, as well as compromise critical systems, as part of a hybrid warfare strategy meant to defeat the United States without necessarily engaging in a kinetic war, according to experts.

Cybersecurity companies have identified close to 200 hacker groups linked to China, most of them classified as advanced persistent threats (APTs). Some groups are part of the People’s Liberation Army, the CCP military. Some are part of the Ministry of State Security, China’s main intelligence agency. Others work from nominally private companies, usually under Ministry of State Security control. Still others are freelancers, using their skills for both the CCP’s benefit and personal gain.

Their real identities are seldom known, so cybersecurity companies usually give them nicknames based on their methods and suspected base of operation. As such, groups with different names may in fact belong to a single CCP entity and may appear to go inactive if they adopt a new toolkit.

“The danger in dealing with these state-sponsored actors is their almost limitless resources and the willingness to play the long game,” said Bob Erdman, an associate vice president for research and development at Fortra, a cybersecurity firm.

“They will spend years collecting information and setting the groundwork for their operations. They also have access to the entire intelligence apparatus, which can provide an excellent source of information but also a framework and infrastructure to carry out these operations.”

Access to China’s internet infrastructure allows for “man-in-the-middle” attacks “to exploit users whose internet traffic happens to transit infrastructure owned or built by China,” he told The Epoch Times in a text message.

Their main target is the United States—not just the U.S. government, but also private companies of strategic interest to the CCP. The list of targeted industries is long, from major military contractors to telecommunications, electronics, engineering, mining, shipping, pharmaceutics, energy, computing software and hardware, aerospace and aviation, and even education.

Some hacker groups have shown keen interest in detecting vulnerabilities in U.S. critical infrastructure, including power grids and the water supply. And some groups specifically target dissidents and CCP critics overseas.

“To the CCP, cyber is one of many methods of unrestricted war: weakening your enemy from the inside with no rules just short of conventional war,” Casey Fleming, a strategic risk and intelligence expert and the CEO of BlackOps Partners, told The Epoch Times via email.

“The CCP’s cyber war machine is much greater than anyone realizes. They have the manpower, they are extremely focused, minimally fragmented under the totalitarian communist regime, and leverage [artificial intelligence] and technology for maximizing their attacks.”

Even APTs that on the surface bear associations with other nations or no associations at all may be influenced by the CCP behind the scenes, according to Fleming.

Prince, a member of the hacking group Red Hacker Alliance who refused to give his real name, uses his computer at an office in Dongguan, Guangdong Province, China, on Aug. 4, 2020. (Nicolas Asfouri/AFP via Getty Images)

“The CCP is the puppet master,“ he said. ”They collaborate with and train other nation states as axis partners against the West. The CCP also hires bad actors with their malware from the darknet.”

The U.S. government has been periodically indicting Chinese hackers implicated in major attacks, but that appears to barely scratch the surface.

As long as the hackers are located in China, they are “shielded from legal repercussions,” Erdman said.

A major problem is that vulnerabilities in computer systems are not just a matter of oversight, but also the result of how the big tech business model is set up, according to Rex Lee, a cybersecurity expert at My Smart Privacy who has advised major corporations and government agencies, including the Department of Homeland Security and the National Security Agency.

Threat Evolution

As victims of cyberattacks have wised up to hackers’ tactics, hackers have also become more sophisticated, taking advantage of new technologies and developing new attack vectors, Lee told The Epoch Times.

Reports of Chinese APTs exploded in the mid-2000s. Back then, smartphones and social media were in their infancy and most attacks followed a similar pattern. The hacker group would identify individuals who possessed credentials to access the targeted computer system. An aeronautics engineer, for example, would likely have access to a computer system storing blueprints. The hackers would send the engineer emails prompting him to open an attachment infected with a malicious program, known as malware.

This method, called phishing, has been evolving, too. In the early days, the text of the email would be generic, likely in broken English. Over time, the tactic advanced into “spear phishing,” which uses personalized emails. The email might appear to have been sent by a supervisor or the information technology or human resources department, and the attachment might look like a legitimate work-related document. As companies have adopted policies against opening unsolicited attachments, the hackers have switched to sending hyperlinks that take the user to an infected website.

U.S. Deputy Attorney General Rod Rosenstein speaks at a news conference about Chinese hacking with (L–R) U.S. Attorney for the Southern District of New York Geoffrey Berman, FBI Director Christopher Wray, and Assistant Attorney General for National Security John Demers at the Justice Department in Washington on Dec. 20, 2018. The Justice Department announced indictments of Chinese government hackers who allegedly targeted scores of companies in a dozen countries. (Nicholas Kamm/AFP via Getty Images)

In contrast to regular online scammers, who may try to trick their target into entering his login details into a fake website, typically an online banking site, state-sponsored hackers take a long-term, methodical approach.

The first malware they try to sneak in only surveils the targeted system. It collects detailed information about the system, such as what apps, versions, and configurations it uses. However, the most important feature is a keylogger, a function that records everything the user types on the keyboard. Sooner or later, the user types his usernames and passwords for various parts of the system, including the part storing restricted information. The hackers then use the stolen credentials to search for and exfiltrate the targeted data.

Sometimes, hackers take an indirect route. Instead of the company or government agency itself, they go after IT contractors with access to its systems. Some Chinese APTs have managed to compromise managed service providers (MSP), which are companies that provide computer and network solutions to other companies. Many large corporations outsource their IT to MSPs. Thus, hacking a major MSP can provide access to multiple high-value targets.

While CCP hackers have been highly successful using spear phishing, its effectiveness has eroded as users have become more suspicious of links and attachments of any kind.

Hacker groups have started to rely more often on “watering hole” attacks. With this method, they first try to create a psychological profile of their targets to determine their online behavior. The goal is to pinpoint specific websites that the targets are likely to visit. The hackers then search for security weaknesses on those websites and plant malware on them. Then they wait for their targets to visit the website and infect their computers.

In recent years, CCP hackers have successfully exploited yet another tactic: targeting network infrastructure such as routers, switches, and firewalls. Security flaws in the firmware of such devices are routinely patched by their producers, but end users do not necessarily keep them up to date.

The large-scale attack on telecom companies in the United States and around the world that was discovered in 2020 was enabled by just such vulnerabilities.

U.S. Deputy Attorney General Jeffery A. Rosen talks about charges and arrests related to a hacking campaign tied to the Chinese regime, at the Justice Department in Washington on Sept. 16, 2020. (Tasos Katopodis/AFP via Getty Images)

“Investigations associated with these APT actors indicate that they are having considerable success exploiting publicly known common vulnerabilities and exposures (CVEs) and other avoidable weaknesses within compromised infrastructure,” states a September report on the attacks jointly produced by cybersecurity and signals intelligence agencies of the United States, Canada, the UK, Australia, Germany, Japan, and several other nations.

The hackers were able to access call records data, law enforcement wiretaps, and the communications of government officials and politicians.

Spy by Design

Smartphone users have become used to giving apps permission to access basic phone functions, such as the camera, keyboard, microphone, and location services. The app functionality often depends on such permissions. But the implications are extensive, according to Lee.

Any app with standard permissions can literally see and hear through the phone, as well as record what the user types. It can also monitor the user’s movement through GPS, Bluetooth, Wi-Fi, cell tower connection, and even the phone’s in-built accelerometer, Lee said.

Many apps go even further, requesting permission to access user photos, emails, and text messages, bundling together all the dream malware features, he pointed out.

Cellphone producers necessarily allow apps to collect such data because the entire tech sector draws massive revenues from data collection and data brokering.

TikTok's request to access camera and microphone is displayed on a smartphone in New York City on Nov. 26, 2024. (PixieMe/shutterstock)

“They sell access to you to other app developers,” Lee said. “It’s the surveillance technology that supports the surveillance capitalism business model that’s behind it all.”

While the system is set up to collect personal data in order to produce targeted advertising, it is easy for malicious actors to exploit the same system.

Regime-backed hackers with substantial resources can create legitimate-looking app developer companies, develop seemingly legitimate apps, and then wait for high-value targets to download them.

On the surface, the app could be almost anything—a game, or even a cybersecurity app, according to Lee.

Tech companies have been removing apps used for malicious purposes, but new ones are being pumped out all the time.

The only way to truly secure data, Lee said, is to store them on a separate system that does not use any of the operating systems that enable data mining. Some companies, including major defense contractors, have already moved down that road, he said.

(Click here to see enlarged image of the infographic below.)