Skip to main content

China's spies for hire: hackers who blend espionage and entrepreneurship


Xi Jinping transferred cyberhacking responsibility to a security ministry from the PLA following a slew of sloppy attacks and a reorganization of the military. (File Photo: Bloomberg)
China’s buzzy high-tech companies don’t usually recruit Cambodian speakers, so the job ads for three well-paid positions with those language skills stood out. The ad, seeking writers of research reports, was placed by an internet security start-up in China’s tropical island-province of Hainan.

That start-up was more than it seemed, according to American law enforcement. Hainan Xiandun Technology was part of a web of front companies controlled by China’s secretive state security ministry, according to a federal indictment from May. They hacked computers from the United States to Cambodia to Saudi Arabia, seeking sensitive government data as well as less-obvious spy stuff, like details of a New Jersey company’s fire-suppression system, according to prosecutors.

The accusations appear to reflect an increasingly aggressive campaign by Chinese government hackers and a pronounced shift in their tactics: China’s premier spy agency is increasingly reaching beyond its own ranks to recruit from a vast pool of private-sector talent.

This new group of hackers has made China’s state cyberspying machine stronger, more sophisticated and--for its growing array of government and private-sector targets--more dangerously unpredictable. Sponsored but not necessarily micromanaged by Beijing, this new breed of hacker attacks government targets and private companies alike, mixing traditional espionage with outright fraud and other crimes for profit.

China’s new approach borrows from the tactics of Russia and Iran, which have tormented public and commercial targets for years. Chinese hackers with links to state security demanded ransom in return for not releasing a company’s computer source code, according to an indictment released by the U.S. Department of Justice last year. Another group of hackers in southwest China mixed cyber raids on Hong Kong democracy activists with fraud on gaming websites, another indictment asserted. One member of the group boasted about having official protection, provided that they avoid targets in China.

“The upside is they can cover more targets, spur competition. The downside is the level of control,” said Robert Potter, the head of Internet 2.0, an Australian cybersecurity firm. “I’ve seen them do some really boneheaded things, like try and steal $70,000 during an espionage op.”

Chinas spies for hire: hackers who blend espionage and entrepreneurship
A shopper sits in front of ground markers at an upscale retail area in Beijing. China's hackers are targeting computers from the US to Cambodia to Saudi Arabia. (Bloomberg file photo.)

Investigators believe these groups have been responsible for some big recent data breaches, including hacks targeting the personal details of 500 million guests at the Marriott hotel chain, information on roughly 20 million U.S. government employees and, this year, a Microsoft email system used by many of the world’s largest companies and governments.

The Microsoft breach was unlike China’s previously disciplined strategy, said Dmitri Alperovitch, the chairman of Silverado Policy Accelerator, a nonprofit geopolitical think tank.

“They went after organizations they had zero interest in and exploited those organizations with ransomware and other attacks,” Mr. Alperovitch said.

China’s tactics changed after Xi Jinping, the country’s top leader, transferred more cyberhacking responsibility to the Ministry of State Security from the People’s Liberation Army following a slew of sloppy attacks and a reorganization of the military. The ministry, a mix of spy agency and Communist Party inquisitor, has used more sophisticated hacking tools, like security flaws known as zero days, to target companies, activists and governments.

While the ministry projects an image of remorseless loyalty to the Communist Party in Beijing, its hacking operations can act like local franchises. Groups often act on their own agendas, sometimes including sidelines in commercial cybercrime, experts said.

The message: “We’re paying you to do work from 9 to 5 for the national security of China,” Mr. Alperovitch said. “What you do with the rest of your time, and with the tools and access you have, is really your business.”

A grand jury indictment released last year charged that two former classmates from an electrical engineering college in Chengdu, in southwest China, marauded through foreign computer servers and stole information from dissidents and engineering diagrams from an Australian defense contractor. On the side, the indictment said, the two tried extortion: demanding payment in return for not revealing an unidentified company’s source code on the internet.

Under this system, Chinese hackers have become increasingly aggressive. The rate of global attacks linked to the Chinese government has nearly tripled since last year compared with the four previous years, according to Recorded Future, a Somerville, Mass., company that studies the use of internet by state-linked actors. That number now averages more than 1,000 per three-month period, it said.

“Considering the volume that’s going on, how many times has the F.B.I. gotten them? Precious few,” said Nicholas Eftimiades, a retired senior American intelligence officer who writes about China’s espionage operations. “There’s no way you can staff up to be able to contend with this type of onslaught.”

Though their numbers make them hard to stop, the hackers don’t always try hard to cover their tracks. They sometimes leave clues strewn online, including wedding photos of agents in state security uniforms, telltale job ads and boasts of their feats.

Hainan Xiandun was set up to recruit young talent and create a veneer of deniability, prosectors said. It posted job ads on the message boards of Chinese universities and sponsored a cybersecurity competition.

The operations from Hainan--an island jutting into the South China Sea--sometimes reflected local priorities, like stealing marine research from a university in California and hacking governments in nearby Southeast Asian countries, according to the May indictment. Its job ad for Cambodian speakers was placed three months before Cambodian elections.

While some targets had clear espionage goals, others appeared less focused. The hackers tried to steal Ebola vaccine data from one institution, prosecutors said, and secrets about self-driving cars from another.

In January 2020, a mysterious blog with a track record of exposing Chinese state security hackers picked up the scent. The blog, “Intrusion Truth,” was already known in Washington cybersecurity circles for naming Chinese intelligence officers well before they appeared in U.S. indictments.

The operators of “Intrusion Truth” scoured job boards for Hainan companies advertising for “penetration testing engineers,” who secure networks by exploring how they could be hacked.

One posting from Hainan Xiandun stood out. The ad, on a Sichuan University computer science hiring board from 2018, boasted that Xiandun had “received a considerable number of government-secret-related business.”

The company, based in Hainan’s capital, Haikou, paid monthly salaries of $1,200 to $3,000 — solid middle-class wages for Chinese tech workers fresh out of college — with bonuses as high as $15,000. Xiandun’s ads listed an email address used by other firms looking for cybersecurity experts and linguists, suggesting they were part of a network.

Chinese hacking groups are increasingly “sharing malware, exploits and coordinating their efforts,” the operators of “Intrusion Truth” wrote in an email. The operators have not disclosed their identities, citing the sensitivity of their work.

Xiandun’s registered address was the library of Hainan University. Its phone number matched that of a computer science professor and People’s Liberation Army veteran who ran a website offering payments for students with novel ideas about cracking passwords. The professor has not been charged.

Other records and phone numbers led the blog authors to an email address and a frequent-flier account owned by Ding Xiaoyang, one of the managers of the company.

The indictment asserted that Mr. Ding was a state security officer who ran the hackers working at Hainan Xiandun. It included details the blog did not find, like an award Mr. Ding received from the Ministry of State Security for young leaders in the organization.

Mr. Ding and others named in the indictment couldn’t be reached.

Though trackable for now, China’s state security apparatus may be learning how to better hide its footprints, said Matthew Brazil, a former China specialist for the Department of Commerce’s Office of Export Enforcement who has co-written a study of Chinese espionage.

“The abilities of the Chinese services are uneven,” he said. “Their game is getting better, and in five or 10 years it’s going to be a different story.”

(Nicole Perlroth contributed reporting.)


Popular posts from this blog

Menon meets Karzai, discusses security of Indians

Kabul/New Delhi/Washington, March 5 (IANS) India Friday said that the Feb 26 terror attack in Kabul will not deter it from helping rebuild Afghanistan as National Security Adviser Shivshankar Menon met Afghan President Hamid Karzai in Kabul to review the security of around 4,000 Indians working in that country. Menon, who arrived here Friday morning on a two-day visit, discussed with Karzai some proposals to bolster security of Indians engaged in a wide array of reconstruction activities, ranging from building roads, bridges and power stations to social sector projects. The Indian government is contemplating a slew of steps to secure Indians in Afghanistan, including setting up protected venues where the Indians working on various reconstruction projects will be based. Deploying dedicated security personnel at places where Indians work is also being considered. Menon also met his Afghan counterpart Rangin Dadfar Spanta and enquired about the progress in the probe into the Kabul atta

Iran is losing the game to regional actors in its strategic depth

Rethink before It’s Too Late Iran is losing the game to regional actors in its strategic depth –Afghanistan. By Houman Dolati It is no more a surprise to see Iran absent in Afghanistan affairs. Nowadays, the Bonn Conference and Iran’s contributions to Afghanistan look more like a fading memory. Iran, which had promised of loans and credit worth five-hundred million dollars for Afghanistan, and tried to serve a key role, more than many other countries, for reconstruction and stabilization of Afghanistan, is now trying to efface that memory, saying it is a wrong path, even for the international community. Iran’s empty seat in the Rome Conference was another step backward for Afghanistan’s influential neighbor. Many other countries were surprised with Iran’s absence. Finding out the vanity of its efforts to justify absence in Rome, Iran tried to start its

Pakistani firm whose chemicals were used to kill US troops seeks subsidy for Indiana plant

By Jennifer Griffin, Justin Fishel Published March 22, 2013   A Pakistani fertilizer maker whose chemicals have been used in 80 percent of the roadside bombs that have killed and maimed American troops in Afghanistan is now seeking U.S. taxpayer subsidies in order to open a factory in Indiana.  The request appears to be on hold pending further review, but the situation has stirred outrage in Congress, where some accuse the Pakistani government of halting efforts to clamp down on the bomb-making.  For the past seven years, the U.S. government has known that the raw material calcium ammonium nitrate, or CAN, is making its way across the border into Afghanistan where the Taliban use it to fuel their most deadly weapons, namely the improvised explosive device. IEDs have long been the number one killer of U.S. and coalition troops.  The material largely comes from Pakistani fertilizer maker the Fatima Group. But the Pakistani government has stymied attempts by the Pentagon to stop the