China's Dogged Campaign to Portray Itself as Victim of US Hacking
After the US and its allies formally accused China of irresponsible and malicious behavior in cyberspace back in 2021, the government there has been on a mission to cast the US in the same light.
February 12, 2024
For more than two years, China's government has been attempting to portray the US as indulging in the same kind of cyber espionage and intrusion activities as the latter has accused of carrying out over the past several years.
A recent examination of Beijing's claims by researchers at SentinelOne found most of them to be unsubstantiated, often based on previously leaked US intelligence and lacking any technical evidence. However, that has not stopped the Chinese government from pursuing its misinformation campaign in an attempt to divert attention from its own hacking activities, SentinelOne said.
"China hopes to change global public opinion on Chinese hacking," says Dakota Cary, strategic advisory consultant at SentinelOne. "China aims to show itself as the victim of US hacking operation and show how the US is the perpetrator of hacking operations."
To date, the campaign has met with some limited success, as China's claims have made their way into western media outlets like Reuters, he says. Meanwhile, the SentinelOne report comes amid a backdrop of heightened alarm in the US about China's insidious and persistent intrusion campaigns into US critical infrastructure by Chinese threat groups such as Volt Typhoon.
Calling Out China's Hacking Operations
The immediate impetus for China's efforts to push a US hacking narrative appears to be a somewhat extraordinary joint declaration by the US, UK, and European Union governments in July 2021 accusing the government of indulging in malicious "irresponsible and destabilizing behavior in cyberspace." The declaration, among other things, blamed the Chinese government of hiring "criminal contract hackers to conduct unsanctioned cyber operations globally, including for their own personal profit."
The White House statement contained a reference to charging documents unsealed in 2018 and 2020 that accused hackers working with China's Ministry of State Security (MSS) of participating in ransomware attacks, crypto-jacking, cyber extortion, and "rank theft". It also announced criminal charges against four individuals at the MSS for engaging in cyber campaigns to steal intellectual property and trade secrets from organizations in the aviation, defense, maritime, and other sectors in the US and other countries.
The US allegations came shortly after an incident where attackers — later identified as working for the MSS — exploited four zero-day bugs in Microsoft Exchange to compromise tens of thousands of computers worldwide. What proved especially irksome was the apparent decision by the Chinese hacking team to automate their attack and to share details of the vulnerability with others when it became apparent that Microsoft was ready to release a patch for the flaws, SentinelOne said.
"The joint statement so irked the PRC government that it began a media campaign to push narratives about US hacking operations in global media outlets," the security vendor said.
China Launches Coordinated Disinformation Campaign
China's attempts to get back at the US include having some cybersecurity firms in the country coordinate publication of reports about US hacking activity, then using government agencies and state media to amplify their impact.
Since early 2022, state media in China began releasing English-language versions of cyber threat intelligence reports from Chinese security firms. The English-language Global Times, a publication that generally reflects the official views of the Chinese Communist Party, mentioned NSA-related hacking tools and operations 24 times in 2022, compared to just twice the preceding year, SentinelOne found.
In 2023, the publication ran a series of articles on US intelligence agencies allegedly hacking into seismic sensors at the Wuhan Earthquake Monitoring Center. The articles were apparently based on a report from Chinese cybersecurity firm Qihoo360 and another Chinese government entity. And last April, China's cybersecurity industry alliance published a report that chronicled more than a decade of research on US cyberattacks such as the Stuxnet campaign on Iran's Natanz nuclear facility.
US Hacks on China: A Lack of Evidence
According to SentinelOne, most of China's reports are not backed by any technical evidence of the sort that cybersecurity firms in the US and some other countries provide when disclosing nation-state campaigns. The Global Times article on the attacks at Wuhan's earthquake monitoring facility, for instance, quotes a Qihoo360 report that is not publicly available anywhere. Even so, the report garnered some attention in the US, with several media outlets running with the story, SentinelOne said.
Reports that do have some form of attribution or evidence are often based on leaked US intelligence documents such as Edward Snowden's leaks, the Vault 7 leaks, and the Shadow Brokers leaks, Cary says. In fact, of the 150 or so citations in the report from China's cybersecurity alliance, less than a third are from Chinese vendors.
"We don't know if China's cybersecurity companies have the data to back up claims of US hacking," Cary says. It is likely that such data does exist somewhere in the PRC, but it's unclear if it would prove their claims, he notes, adding, "What we can say is that China's legal regime and political system have decided against the publication of any such data."
About the Author
You May Also Like