Provider of in-depth & balanced analysis on hot issues around the world

On March 4, the U.S. Department of Justice charged ten Chinese nationals with carrying out massive hacks against government agencies, media outlets, and dissidents in the United States and around the world. They allegedly acted on behalf of the Chinese company i-Soon, under contract from the Beijing government. Two officials from China’s Ministry of Public Security (MPS) were also indicted, identified as the ones “directing the attacks.”

According to documents held by the U.S. justice system, China’s domestic intelligence services (MPS) and foreign intelligence (Ministry of State Security, MSS) relied on a vast network of private companies and domestic contractors to hack and steal information, thereby masking the Chinese government’s direct involvement.

In some cases, the MPS and MSS paid private hackers to target specific victims. In many others, the attacks were speculative: hackers identified vulnerable computers, breached them, and extracted information that was later sold — either directly or indirectly — to the Chinese government.

The Growth of Chinese Cyberespionage and Its Main Areas of Operation

This is not an isolated case. Over the past decade, the People’s Republic of China’s (PRC) hacking program has expanded rapidly. In 2023, then-FBI Director Christopher Wray stated that it was larger than that of all other world powers combined. This increase in power and sophistication has led to success in three key areas: political interference, sabotage of critical infrastructure, and large-scale intellectual property theft.

Beijing integrates computer networks, electronic warfare, economic, diplomatic, legal, military, intelligence, psychological, and military deception resources, along with security operations, to weaken states, make them economically dependent on China, and more receptive to a “new authoritarian world order with Chinese characteristics.”

For this reason, unlike traditional interpretations, Chinese state-sponsored hacking should be understood within a broader context — where control over technology, strategic infrastructure, and global supply chains is part of “trans-military” and “non-military” warfare operations, as described by two People’s Liberation Army (PLA) colonels in the 1999 book “Unrestricted Warfare”. This approach is known as liminal warfare — an escalating conflict in which the spectrum of competition and confrontation with the West is so wide that the battlefield is, quite literally, everywhere.

Cyberespionage as a Tool of Electronic Warfare

In electronic warfare, hacking is used for sabotage during times of crisis or conflict. These actions are led by the People’s Liberation Army (PLA), the armed wing of the Chinese Communist Party.

In 2023, it was discovered that a hacker group linked to the PLA, known as “Volt Typhoon”, had infiltrated a wide range of critical infrastructure in the U.S. for years, including ports, factories, and water treatment plants — both on the mainland and in strategic locations like Guam.

“Volt Typhoon is a military operation with political and potentially military strategic purposes,” explained Ciaran Martin, former director of the UK’s cybersecurity agency. Led by the PLA’s cyber unit, the operation involved installing readiness capabilities — “digital traps,” as some call them — within critical U.S. infrastructure.

In addition to a sustained attack in 2023 on a power company in Massachusetts, which aimed to extract sensitive data about its operational technology (OT) infrastructure, “Volt Typhoon” gained notoriety for multiple attacks on telecommunications systems in the U.S. and other critical infrastructures globally. One of its subunits, “Voltzite”, targeted the Littleton Electric and Water Departments, prompting the FBI and cybersecurity firm Dragos to respond jointly and publish a detailed report on the attack and its mitigation.

Intellectual Property Theft Through Cyberespionage

The most damaging channel for intellectual property theft is cyberespionage. These intrusions allow Chinese companies — sometimes with direct support from the Communist Party or the state — to access information on operations, projects, and technology from foreign firms.

China has used state-backed and coordinated cyberespionage campaigns to steal information from companies in strategic sectors such as oil, energy, steel, and aviation. These actions serve both to acquire science and technology and to gather intelligence useful for future attacks on military, government, or technical systems.

In the United States, there have been numerous precedents:

• In 2014, five PLA hackers were indicted for economic espionage.

• In 2017, three hackers linked to the Chinese firm Boyusec were charged with stealing confidential business information.

• In 2018, two Chinese nationals were indicted for intellectual property theft.

• In 2020, two hackers connected to the MSS were charged with targeting COVID-19 research.

Among these, the 2018 indictment stands out as part of a broader U.S. effort to raise awareness about Chinese cyberespionage. On that occasion, Chinese hackers carried out a campaign known as “Cloud Hopper”, which involved a supply chain attack on service providers like Hewlett Packard and IBM. The defendants worked for Huaying Haitai and collaborated with the Tianjin State Security Bureau of the MSS.

In 2017, the U.S. Commission on the Theft of American Intellectual Property estimated that such crimes cost the U.S. economy up to $600 billion annually — a figure comparable to the Pentagon’s defense budget and greater than the combined profits of the 50 largest companies in the Fortune 500.

Beyond the United States: The Global Impact of Chinese Cyberespionage

In June 2024, Dutch military intelligence (MIVD) warned that Chinese cyberespionage was broader than previously believed, affecting Western governments and defense companies. A 2023 cyberattack on the Dutch Ministry of Defense reportedly affected at least 20,000 people within a few months.

In 2018, the Czech Republic’s National Cyber and Information Security Agency (NUKIB) issued a warning about risks linked to China. Since then, the country has strengthened its capabilities and controls against Beijing and has worked on mechanisms to counter foreign information manipulation.

According to U.S. prosecutors, dozens of European parliamentarians have been targeted by Chinese attacks. In March 2024, the U.S. Department of Justice indicted hackers linked to the MSS for attacking “all EU members” of the Inter-Parliamentary Alliance on China (IPAC), a coalition critical of Beijing. In 2021, the hackers sent over a thousand emails to around 400 accounts linked to IPAC, attempting to spy on their internet activity and devices.

In addition, ASML, the Dutch leader in semiconductor lithography, suffers “thousands of security incidents per year,” including several successful infiltration attempts by Chinese actors. Research centers like Imec (Belgium) are also frequent targets. Belgium has expelled Chinese researchers suspected of espionage. The European Union has reinforced security and identified advanced semiconductors as one of four critical technologies requiring risk assessments and enhanced protection.

Notably, APT41 is one of the most active and sophisticated Chinese cyberespionage groups, based in the PRC and linked to the MSS. According to Google’s Threat Intelligence Group, APT41 combines state espionage with ransomware attacks — malicious programs that encrypt files and demand financial ransom to restore them — making attribution more difficult.

Unlike other PLA-aligned groups whose operations are region-specific, APT41 acts globally, attacking strategic sectors in the U.S., Europe, Latin America, and the Caribbean. It also carries out financially motivated operations, particularly in the gaming industry. Mandiant, a global cybersecurity leader, highlights APT41’s technical capabilities: it frequently exploits zero-day and n-day vulnerabilities and uses techniques like phishing, social engineering, and SQL injections.

Since 2020, APT41 has conducted large-scale campaigns against over 75 companies in more than 20 countries. It is responsible for compromising supply chains, such as in the “ShadowHammer” campaign targeting ASUS, which affected over 50,000 systems in 2018. APT41 is also linked to the use of “MESSAGETAP” malware in telecommunications networks.

The Role of Chinese Universities in Cyberespionage

Chinese universities also collaborate with the PLA and MSS in state-sponsored cyberespionage operations. Shanghai Jiao Tong University works directly with the Chinese military on such operations. Zhejiang University and the Harbin Institute of Technology are key centers for recruiting hackers.

Xidian University offers students hands-on experience at provincial MSS offices and previously maintained ties with the Third Department of the PLA’s General Staff before its reorganization in 2015 into the Network Systems Department. One of its graduate programs is co-directed with the Guangdong Office of the Chinese Information Technology Security Evaluation Center (ITSEC), an MSS-run office that leads an active team of contractor hackers.

Southeast University also maintains links with security services and co-manages the “Purple Mountain Lab” with the PLA’s Strategic Support Force. There, researchers collaborate on “critical strategic requirements,” operating systems, and interdisciplinary cybersecurity studies. The university also receives funding from the PLA and MSS to develop China’s cyber capabilities.

The Cybersecurity undergraduate program at Shanghai Jiao Tong University (SJTU) is taught at a PLA information engineering base. Within this program, SJTU claims to work on “network and information systems testing and evaluation, security testing for connected smart networks, APT attack and defense testing, and key technologies for cyber ranges.”

Universities associated with the MSS for talent recruitment include the University of Science and Technology of China, Shanghai Jiao Tong University, Xi’an Jiao Tong University, Beijing Institute of Technology, Nanjing University, and the Harbin Institute of Technology. In addition, some cybersecurity firms — such as Beijing TopSec — collaborate with the PLA in hacking campaigns, operator training, and developing future hackers.

This article was originally published by Agenda Digitale and later by Expediente Abierto, who granted us permission for its translation and republication.