China has invested significant resources in developing its offensive cyber capabilities. It now possesses an extremely large pool of cyber units which are tasked with advancing the state's interests through cyberspace. As a result, China is by far the most active nation in using its offensive cyber capabilities to advance its strategic agenda.
- Strategic motives: Espionage, information theft and disruption
- Strategic goals: Advancing domestic stability, territorial integrity, (military) modernization, economic strength & growth
- Cyber capabilities: ★★★★☆
- Cyber activity: ★★★★★
- Number of APTs: 134
Highly advanced, mature and integrated in intelligence services
Over the years, China has established an environment in which it is continuously developing its offensive cyber capabilities and talent. The large scale and high speed in which these developments occur make it extremely hard for other nation states to replicate or even keep up. Furthermore, although there is no evidence that China has carried out attacks of the highest level of sophistication (e.g. Stuxnet, also known as Operation Socialist), it did carry out multiple highly sophisticated supply-chain attacks. The goal was to get access to companies that contain sensitive information and trade secrets relevant to China's economic ambitions (see case 1 & 2).
To make use of these offensive cyber capabilities, China has a large sum of cyber units at its disposal. Multiple intelligence and military units have been tasked with advancing the state’s interests in the economic, political and military domain by conducting more sophisticated cyber espionage and disruptive operations. Next to that, there are multiple ‘freelance’ type of hacker groups that are contracted by China to conduct cyber operations. This set-up also creates the opportunity for talented freelancers to progress to the more advanced state-governed units. Additionally, the Chinese government has mobilized multiple Chinese universities to conduct cyber operations with the goal of obtaining research and technologies that also have military applications (‘military-civil fusion’). Aditionally, Chinese students who have studied English have been recruited by China's state-sponsored APTs to translate sensitive documents obtained from Western targets. In short, China has an extremely large pool of offensive cyber units, ranging from fairly advanced freelance groups to more sophisticated nation-state intelligence and military units.
When it comes to cyber defense, since the rise of internet technologies, China has largely focused on domestic surveillance and controlling the flow of information and less on network protection, resulting in that part of its cyber defense being relatively weak. Next to that, China is the most targeted country by DDoS-attacks in the world, with many attacks being executed from its own soil. Other attacks mostly come from the US, South Korea and Japan and are primarily focused on governmental and financial websites. Lastly, although China is a top producer in hardware components, it still relies on the West for software technologies, which interferes with China’s goal of becoming self-reliant. However, China has the capabilities and resources to reverse engineer such software on a large scale, which arguably limits the actual dependence.
CASE 1: RSA hack (2011)
In 2011, Chinese nation-state hackers broke into U.S. cybersecurity company RSA. The targets of the hack were RSA's secret keys. Access to those keys meant that RSA's encryption could be bypassed. This was such a valuable target, because customers included many U.S. governmental and military institutions, banks and numerous companies around the world. With access to the secret keys, the hackers could bypass the security mechanisms of RSA's high-profile customers. The attack can be considered the first large-scale supply-chain attack and demonstrated how big the threat from state-sponsored hackers can be, as even cybersecurity companies can be hacked by actors with unlimited time and budget.
CASE 2: Cloud Hopper (2014-2017)
Cloud Hopper was an extensive multi-year global cyber espionage campaign allegedly executed by hackers connected to the Chinese government. Hackers broke into multiple of the largest IT service providers of the world and in turn used this access to 'hop' into clients’ networks and steal trade secrets and other sensitive information of interest to China's economic ambitions. An example is biotech company Syngenta, which was taken over by Chinese state-owned chemicals conglomerate ChemChina in 2017. In that same period, APT10 appeared to be in the networks of Hewlett Packard Enterprise, one of the IT service providers. It is assessed that this access was (mis)used to obtain commercial secrets and other sensitive information of interest to the Chinese government.
Strengths, weaknesses, opportunities & threats
- Long-term view on using cyber to pursue its strategic agenda
- Comprehensive set of cyber-related national strategies and policies to achieve strategic goals
- Extremely large domestic internet market
- Large scale of cyber units conducting sophisticated cyber operations (e.g. espionage, disruption)
- Large pool of talented (freelance) hackers that can be recruited for its most advanced cyber units
- Chinese universities conducting cyber operations to obtain military-civil fusion research and technologies
- Fast developing digitalization and ICT industry
- Large scale and high speed development of cyber capabilities and talent
- Relatively weak cyber defense capabilities
- Lagging behind other (Western) states in software production
- Increased share of domestically produced Chinese internet technologies
- Opportunity to use Chinese produced technology as an unparalleled intelligence gathering and attack vector
- Continued high activity in carrying out cyber-attacks using ‘plausible deniability
- Conducting highly sophisticated supply-chain attacks
- Continuous victim of DDoS-attacks
- Target for foreign nation states actors
- US and other western countries opposing China’s cyber-related ambitions
- 'Opportunistic' cyber operations interfering with achieving its long-term strategic goals
Controlling your cybersecurity risks
China’s main ambition is to strengthen its global economic, political and military power and it has a wide range of long-term strategies and policies in place to support this aspiration. Through financial support and foreign policy, China creates dependencies in other countries which gives it more freedom to operate in the cyber domain without risking retaliation. At the same time, China is highly active in conducting opportunistic attacks, which could interfere with achieving its long-term strategic goals.
China's profile in cyberspace is twofold. On the one hand, it has developed a long-term view on how to use cyber to pursue its strategic agenda whilst on the other, it conducts very opportunistic basic attacks. Due to the lack of focus, there exists the possibility that these opportunistic cyber operations can interfere with achieving its long-term strategic goals (e.g. improving security, decreasing trust in Chinese technologies, etc.).
More specifically on the long term, China actively uses cyberspace to advance its ambition to strengthen its global power, by focusing on (military) modernization, economic growth, domestic stability and territorial integrity. These cyberspace operations are part of a complex, multipronged technology development strategy that uses both licit and illicit methods to achieve its goals (see figure 1).
Figure 1 – China’s multipronged approach to achieve its strategic goals
In realizing economic growth and in becoming less dependent on the West, China actively uses cyberspace to conduct large-scale espionage operations (see case 3). Such operations are often directed at foreign competitive and rivaling companies that possess a lot of intellectual property, trade secrets, R&D and other sensitive information that can boost economic growth. These companies are often part of high-tech industrial sectors, such as IT, robotics, renewable energy, maritime, agriculture, biotechnology, aerospace, transportation and new materials. The strategy that lies at the foundation of China’s economic growth strategy is 'Made in China 2025' (see figure 2). By focusing on industrial modernization, China hopes to increase the share of competitive Chinese companies in high-tech markets and to strengthen its global influence. Cyberspace is also actively used in realizing the Made in China 2025 goals. Therefore, a lot of targets of China’s cyber espionage operations can be traced back to the high-tech industries formulated in the strategy.
Figure 2 - Overview of the Made in China 2025 target sectors
Another strategic initiative of the Chinese government is the 'Belt and Road Initiative' (BRI). The goal of the BRI is to build a global infrastructure network to connect China with the rest of the world (see figure 3). The projects consists of two main trades routes: one via land and the other one via waterways (‘the Belt and Road’). Projects include building railways, ports, highways, energy pipelines and other infrastructures with strategic significance. Next to that, China is planning on building special economic zones to boost the international use of the Chinese currency renminbi. China uses these BRI projects to prevent unity (e.g. with Greece and Italy in the EU) and to increase dependencies of other countries. In turn, this would give China more freedom to conduct cyber operations without risking retaliation (as countries with a high degree of dependency on China would probably not speak up).
Figure 3 - China's Belt and Road Initiative
The presence of these (cyber-related) strategies and policies emphasizes how well thought-out and thorough China’s strategy is. Furthermore, China seems to make full use of plausible deniability (difficulty of the attribution of acts in cyberspace) as a cover for carrying out cyber-attacks on an unprecedented scale, thereby not suffering any real consequences.
China also uses cyberspace to advance its political interests, both within and across its own borders. Domestically, it aims to protect political stability by controlling internet access and by promoting propaganda. It is reportedly also monitoring and infiltrating political dissidents and opponents of the state. In foreign affairs, China uses cyberspace to ensure its territorial integrity and sovereignty by targeting governmental, defense and telecommunications agencies in neighboring countries. Next to that, China is also known to use cyberspace for executing attacks that are more disruptive/sabotaging in nature (see case 4).
China has the ambition to become the world’s strongest military power. Therefore, it is continuously working on expanding its military forces, foreign presence and modernizing its armed services. China considers cyberspace to be an area of military combat. It sees cyber operations as a mode of conducting information warfare, aiming to achieve information dominance to advance its strategic goals. An important aspect in China’s military cyber strategy is the concept of active defense or pre-emption. In reality, this strategy of pre-emption can be considered offensive, but it is justified under the heading of self-defense. In 2021, Taiwanese government officials disclosed that Taiwan's government has been facing around five million cyber-attacks on its infrastructures every day, with the overwhelming majority originating from China.
CASE 3: Operation Aurora (2010)
Operation Aurora constitutes a series of cyber-attacks in on multiple U.S. companies in January 2010. Compromised companies included, amongst many others, Adobe, Yahoo and Google. The attacks have been attributed to multiple state-sponsored groups from China. The goal appeared to be stealing trade secrets, intellectual property and other useful information that can benefit China's strategic goals. Although the incident is somewhat old in some aspects, it can be considered a milestone event in the history of cyber operations. Operation Aurora can be considered the first incident that showed how cyberspace can be used for industrial espionage purposes.
CASE 4: Cyber attack on Mumbai's electric grid (2020)
In October 2020, Mumbai's electric grid went down for millions of people for a couple of hours. It is suspected that the power outage was caused by a cyber-attack, allegedly conducted by hackers working for the Chinese government. In the summer of 2020, there already had been a physical border conflict between Chinese and Indian troops. Therefore, it is argued that this attack was executed to send the message not to press any further claims on the border. In that case, the attack shows how China can also use cyberspace as a form of deterrence.
Interactions with other nations
Geopolitical relations between China and the West are volatile. Relations with the US have become hostile, as both countries are striving for global hegemony. There are also mutual dependencies between China and the US and Europe, with the latter two depending on China when it comes to multiple critical goods, such as rare raw materials. However, China is also relying greatly on the US and EU when it comes to several high-end technologies, making it currently unable to become fully self-sufficient. Therefore, China is targeting Western companies to obtain IP and other sensitive information that can advance their interests of becoming self-reliant. Furthermore, China uses foreign policy and financial support to prevent unity in the EU (e.g. with Greece and Italy) and to have more freedom to operate in the cyber domain without risking retaliation (as the EU has difficulty to speak with one voice).
Relations between China and the rest of Asia are also at odds, as China’s power is growing and as it’s making territorial claims in and around the Asian continent. It is engaged in severe disputes with India alongside their borders, it has made territorial claims against Bhutan and, it contends the political status of Hong Kong and Taiwan. Furthermore, China has made territorial claims against the South and East China seas and has already constructed multiple military bases on artificially made islands to assert these claims. However, China’s direct access to open waters remains limited, as the only way to get to the oceans is by narrow straits, which it has currently no control over. Lastly, with Japan and South Korea being important alliances of the West, China cannot fully exclude the influence of the West in the region.
Looking beyond just the traditional world powers, China is increasingly steading ties with Africa. Economically, China uses the African continent to reap the benefits of the abundant natural resources, to scout investments opportunities and to increase presence of Chinese companies. Furthermore, China is advancing its international influence by hosting BRI projects on strategic locations, such as the Suez canal (see figure 2). It also has a military base on the strategically located country of Djibouti, which is situated alongside the Gulf of Aden. However, the main reason of China reaching out to Africa is political in nature. By financially and economically supporting African countries, China is establishing a friendly international environment in which it can advance towards global hegemony, after centuries of Western rule.
China is also trying to increase influence in South America, therewith aiming to counter the U.S. influence in the region. Economically, it is replacing the US as main trading partner and is working on BRI projects to advance its influence in the region. Furthermore, is supports governments that oppose U.S. ideals and the presence of Chinese military forces, being geographically close to the US, is growing.
Advanced Persistent Threats (APTs)
Tactics, Techniques & Procedures (TTPs)
Hunt & Hackett currently tracks 134 Chinese APTs. Looking at the data from the Threat Diagnostic System, the large focus on the US can be explained by the ongoing rivalry for global hegemony between the US and China (see figure 4). Asian countries also seem to be of great interest for Chinese APTs. This can be explained by the territorial claims that China is making to advance its dominance in the region. Lastly, cyber operations as part of the Made in China 2025 initiative, are also reflected in the data, with countries such as the UK, South Korea, Japan, Germany and France scoring high on targeted countries.
Figure 4 – Targeted countries by Chinese APTs
China’s strong focus on affairs in the Asian region is also supported when looking at anomalies in targeted countries. Anomalies are based on differences between China and the rest of the actors in the dataset. In other words, anomalies indicate to what extent China has a larger focus on certain countries or sectors when compared to all the actors that Hunt & Hackett tracks. From figure 5, it becomes clear that Chinese APTs target Asian countries more often in relation to other APTs, with especially Hong Kong and Taiwan standing out in the data.
Figure 5 – Anomalies in the data compared to the global threat landscape (observed countries)
Chinese APTs appear to have a strong focus on governments (see figure 6). The focus on governments can be supported by China’s large interest in the state of affairs in neighboring countries, but also in the West.
Multiple high-scoring sectors correspond to the focus sectors of the Made in China 2025 strategy, with technology ranking second, but industrial, transportation, energy, high-tech and biotech also being present. These are all sectors that boost industrial modernization and ultimately can assist China's strategic agenda by increasing and strengthening its position on the global market. China's high focus on the defense sector can be traced back to China’s active ambition to become the world’s strongest military power.
Figure 6 – Targeted sectors by Chinese APTs
The strong focus on high-tech manufacturing as set out in the Made in China 2025 initiative is emphasized when looking at anomalies in targeted sectors, as Chinese APTs target high-tech industries more often compared to other APTs.
Figure 7 – Anomalies in the data compared to the global threat landscape (sectors)
This profile aims to describe China's cyber power from a threat intelligence perspective. For a geopolitical angle of China's cyber power, see the chapter on China from IISS’s research paper called 'Cyber Capabilities and National Power: A Net Assessment' (downloadable as PDF) on https://www.iiss.org/blogs/research-paper/2021/06/cyber-power---tier-two.
- IISS. Cyber Capabilities and National Power: A Net Assessment.
- Amy Chang, ‘Warring State: China’s Cybersecurity Strategy’, Center for a New American Security, December 2014
- China Aerospace Studies Institute, In Their Own Words: Foreign Military Thought – Science of Military Strategy 2013
- Geopolitics of East Asia
- China’s Expanding African Relations: Implications for U.S. National Security
- The Return of Geopolitics: Latin America and the Caribbean in an Era of Strategic Competition
- China’s Non-traditional Espionage Against the United States: the Threat and Potential Policy Responses.
- Military and Security Developments Involving the People’s Republic of China 2021.
- The ‘’Cyber Weapons Gap’’. The Assessment of the China’s Cyber Warfare Capabilities and Its Consequences for Potential Conflict over Taiwan.
Our articles covering Chinese threats
From Hunt & Hackett experts